All I Want To Do Is Zoom-a-Zoom-Zoom-Zoom, Carefully: Confidentiality and Privilege Traps for Attorneys.

All I Want To Do Is Zoom-a-Zoom-Zoom-Zoom, Carefully: Confidentiality and Privilege Traps for Attorneys.

In the last two weeks, Zoom has abruptly rescued many of us from social isolation by providing a relatively easy to use web-based video platform that facilitates digital face-to-face interaction.[1]  Zoom’s daily active users has skyrocketed by 67% since January 1, 2020, in direct correlation to the spread of COVID-19.[2]  That is almost three million new users totaling 13 million active users in the month of February.[3]  The short-term emergency measures governments have taken in response to COVID-19 have driven people to use Zoom for business meetings,[4] happy hours,[5] speed-dating,[6] school recess,[7] law school lectures,[8] and doctor visits.[9]  Just last Friday, I “accompanied” my daughter on our first Zoom doctor visit, and it wasn’t bad—zero wait time! 

But beneficial technological advancements are often accompanied by unintended applications and abuses.  For example, Zoombombing—the recently coined phenomenon that refers to the unwanted intrusion of an individual into a Zoom conference—has “exploded” onto many Zoom conferences with anonymous users posting pornographic images, racist content, and other generally undesired buffoonery.[10]  Hackers pose the threat of intruding on Zoom conferences and mining Zoom-stored data.[11]  During a recent Los Angeles City Council Zoom conference, an anonymous participant posted pornographic content.[12]  The city council had to take a 20 minute break to look into their Zoom settings and figure out how to disable participants from having video access. 

So as Zoom and other similar apps become the lifeblood of our professional and personal social interactions in the months to come, legal professionals and their clients must proactively work toward understanding how the use of Zoom might impact confidentiality and privilege.  Zoom’s privacy policy is a good starting point.[13]  Zoom purports to be compliant with the European Union’s GDPR, California’s California Consumer Privacy Act, and other federal and international privacy laws—but Zoom stills collects your data, such as a Zoom “user’s IP address and OS and device details,” location, settings and preferences, and metadata that include e-mail addresses, meeting participant names, and call data records, among other personal identifying data.[14]  Zoom even has a proprietary paid service for healthcare providers to conduct medical exams via Zoom, and certifies that it is HIPAA compliant.[15]  The Director of the Financial Industry Regulatory Authority (“FINRA”), Raj Pillai, stated that FINRA uses Zoom exclusively for hearings and intra-organization meetings because it fits with the regulatory-organization’s security profile.[16]  But is all of this truly sufficient to preserve client confidentiality and attorney-client privilege? 

Attorneys must be vigilant about preserving the attorney-client privilege, which protects confidential legal communications between attorney and client.[17]  That privilege does not extend to communications with third persons “other than those who are present to further the interest of the client in the consultation or those to whom disclosure is reasonably necessary for the transmission of the information or the accomplishment of the purpose for which the lawyer is consulted, and includes a legal opinion formed and the advice given by the lawyer in the course of that relationship.”[18]  Crucially and dangerously, this privilege may be waived by imprudent communications.  For example, “if any holder of the privilege, without coercion, has disclosed a significant part of the communication or has consented to disclosure made by anyone.  Consent to disclosure is manifested by any statement or other conduct of the holder of the privilege indicating consent to the disclosure.”[19]  Moreover, the privilege only protects communications made in confidence.[20]  But the “duty of confidentiality is broader than the attorney-client privilege.”[21]  Attorneys have a duty to keep client information confidential.[22]  That requires making “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Nevertheless, both are implicated when such communications are transferred and stored on a third-party database such as Zoom.[23] 

Zoom’s policy states that it collects what it labels “customer content,” or “the content contained in cloud recordings, and instant messages, files, whiteboards . . . shared while using the service.”[24]  The “customer content” are the videos, automatically generated transcripts of those videos, any documents shared on the screen, and the names of Zoom participants, regardless of whether you have a Zoom account.[25]  Further, the electronic and written record would balloon, creating a larger record for potential challenges to privilege down the road. 

How can an attorney reconcile protecting privilege from inadvertent waiver through confidential communications via Zoom and maintaining confidentiality with the fact that Zoom collects and stores Zoom communications, and the risk that  Zoom conferences are susceptible to unwanted intrusions?  In California for example, “[w]hether an attorney violates his or her duties of confidentiality . . . when using technology to transmit or store confidential client information will depend on the particular technology being used and the circumstances surrounding its use.”[26]  And because the duty of confidentiality is broader than the attorney-client privilege, attorneys must take responsibility by learning Zoom’s functionality and security settings and taking control of Zoom meetings in order to safeguard confidentiality and in turn protect privilege.[27] 

Always be the host of any Zoom meetings that might involve confidential information, because the host gets to control the settings.  And if you are in control of the settings then you can at least rest assure that you took the following reasonable steps to ensure client confidentiality and let’s face it, lawyers insist on being in control anyway.  First, do not record your meetings and do not enable automatic transcription and annotation of your meetings.[28]  Do not generate a record over which you very likely do not have complete control.  Reserve these cool Zoom features for nonlawyers and personal business.  Instead, take notes with a quill and parchment like the partners at your firm insist you do anyway—okay Zoomer?  Second, avoid using your Personal Meeting ID (“PMI”), because a “PMI is basically one continuous meeting and you don’t want randos crashing your personal virtual space after the party’s over.”[29]  Third, generate a random meeting ID for every single meeting.[30]  Fourth, lock your meetings.[31]  Would you leave your office doors open with a sign that says come in off the street and join us as we discuss sensitive client matters?  Finally, set your Zoom settings to disable screenshotting your meetings.[32]  After all, “reasonable care may call for the lawyer to stay abreast of technological advances and potential risks,” and “understanding relevant technology’s benefits and risks has been recognized as a requirement of lawyer competence.”[33] 

But be careful how far you dive into Zoom’s settings to safeguard confidentiality and protect inadvertent waiver of attorney-client privilege, there are a few features in Zoom that you might not want to share with everyone in your office.[34]  Finally, we are fortunate as lawyers to be able to effectively carry out vital aspects of our jobs helping clients via Zoom, a large portion of the workforce simply cannot rely on Zoom to do the same, so let’s work hard to get it right.[35] 


[1]  https://www.latimes.com/california/story/2020-03-22/school-closure-learning-disparities (“Some [students] don’t have computers and others are without internet access.  One student can only open assignments on her father’s phone when he gets home from work.”).

[2] https://blog.apptopia.com/covid-19s-impact-on-consumer-and-business-behavior.

[3] https://www.cnbc.com/2020/02/26/zoom-has-added-more-users-so-far-this-year-than-in-2019-bernstein.html.

[4] https://www.cnbc.com/2020/03/18/zoom-cfo-explains-how-the-company-is-grappling-with-increased-demand.html.

[5] https://www.forbes.com/sites/alywalansky/2020/03/26/virtual-happy-hours-are-the-new-way-to-go-out-heres-how-to-plan-a-great-one/#4227c9542a34.

[6] https://www.eventbrite.com/e/zoom-speed-dating-women-37-47-men-39-49-tickets-88077252433.

[7] https://www.nytimes.com/2020/03/17/style/zoom-parties-coronavirus-memes.html.

[8] https://abovethelaw.com/2020/03/youre-all-attending-zoom-school-of-law-now-show-your-pride/.

[9] https://www.nytimes.com/2020/03/11/health/telemedicine-coronavirus.html.

[10] https://www.insidehighered.com/news/2020/03/26/zoombombers-disrupt-online-classes-racist-pornographic-content.

[11] https://threatpost.com/zoom-scrutinized-as-security-woes-mount/154305/ (Zoom “communicates with IPs in the US, China, India, and Germany.”); https://www.cnbc.com/2019/03/26/zoom-key-profit-driver-ahead-of-ipo-engineers-in-china.html (“Despite its cost benefits, Zoom’s presence in China could also pose a security risk going forward.”). 

[12] https://www.mercurynews.com/2020/03/27/pranksterss-x-rated-videos-force-la-city-council-to-pause-zoom-meeting-amid-coronavirus-outbreak/.

[13] https://zoom.us/privacy.

[14] Id.

[15] https://zoom.us/healthcare.

[16] https://zoom.us/customer/business.

[17] Evid. Code §§ 954, 953 (the client is the holder of the attorney-client privilege), 955 (the attorney may also “claim the privilege whenever he [or she] is present when the communication is sought to be disclosed and is authorized to claim the privilege.”); see also Fed. R. Evid. § 502. 

[18] Evid. Code § 952.

[19] Evid. Code § 912(a). 

[20] Fed. R. Evid. § 502(g). 

[21] Dietz v. Meisenheimer & Herron, 177 Cal. App. 4th 771, 786 (Ct. App. 2009) (citation omitted).

[22] Model Rules, Rule 1.6; Cal. Rules of Prof. Conduct, Rule 1.6; see also Bus. & Prof. Code § 6068(e)(1). 

[23] “When a lawyer turns client information over to a cloud service provider, Model Rules 1.1, 1.6, 1.15 and 5.3 are among the rules implicated.”  See Louise Lark Hill, Cloud Nine or Cloud Nein? Cloud Computing and Its Impact on Lawyers’ Ethical Obligations and Privileged Communications, Prof. Law., 2013, at 109, 115.

[24] Supra note 13. 

[25] https://support.zoom.us/hc/en-us/articles/115004794983-Automatically-Transcribe-Cloud-Recordings-.

[26] Cal. Formal Ethics Op. 2010-179 (2010) (holding that inadvertent production of otherwise privileged documents did not waive the privilege).

[27] Model Rules, Rule 1.6(c) (“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure.”); Fed. R. Evid. 502(b)(2) (“the holder of the privilege or protection took reasonable steps to prevent disclosure”); Ardon v. City of Los Angeles, 62 Cal. 4th 1176, 1191 (2016).

[28] https://support.zoom.us/hc/en-us/articles/115005706806-Using-annotation-tools-on-a-shared-screen-or-whiteboard?zcid=1231&_ga=2.192552616.309741066.1584962366-1130343218.1583928558.

[29] https://blog.zoom.us/wordpress/2020/03/20/keep-the-party-crashers-from-crashing-your-zoom-event/.

[30] https://www.youtube.com/watch?v=XhZW3iyXV9U&feature=youtu.be&t=27]

[31] https://support.zoom.us/hc/en-us/articles/201362603-Host-and-Co-Host-Controls-in-a-Meeting?zcid=1231.

[32] https://support.zoom.us/hc/en-us/articles/115005759423?zcid=1231&_ga=2.254562570.309741066.1584962366-1130343218.1583928558.

[33] Supra note 23 at p. 115 (citations and internal quotation marks omitted). 

[34] https://support.zoom.us/hc/en-us/articles/115000538083-Attendee-attention-tracking.

[35] https://www.latimes.com/california/story/2020-04-01/california-farmworkers-coronavirus?fbclid=IwAR2Kl4m__WLQPrTUexS7-ivDsAY4pr0wecOqdFHEL0vwYUxMyPCN9d_Q1QQ.

Dalmacio Posadas

Dalmacio V. Posadas, Jr. was active in the Los Angeles music scene before becoming an Associate at Brown White & Osborn. He may or may not be working on a new album.