The number of daily meeting participants in Zoom jumped from 10 million in January to 300 million in April, a nearly 3000% increase in three months. It is evident from these numbers that Zoom usage has increased exponentially as companies have had to shift to a new way of working. As with any electronic data, any new source of data a company is using must be carefully considered in terms of retention policies and potential legal obligations.
The use of Zoom as a business communication tool was likely implemented quickly and without enough time to consider all the potential eDiscovery implications. Consider Zoom as a new source of electronic data, like mobile phones, or Slack, or social media. It is important to understand what kind of data is being created and how that data should be handled. Additionally, because Zoom allows individual users to record meetings, the location of the data can also become very important. The bottom line is that Zoom is creating discoverable data. The goal of this article is to advise on the potential eDiscovery issues that could arise if a comprehensive and clear policy around the use of Zoom is not created and implemented now.
Zoom Meetings that Are Not RecordedMost companies can clearly see data containment issues if video is being preserved. But what if a Zoom meeting is not recorded? It is important to understand what types of records are being created when the meetings are not recorded to understand how it could impact discovery obligations in the future. Any time that a zoom meeting occurs, Zoom retains a record of that meeting. As a basic user, you can view under the Meetings tab, a record of every Zoom meeting that you have scheduled or attended. The information contained on that tab includes the date, time, meeting ID, and title of the meeting. This area also allows the individual user to delete a meeting from their history. From a discovery and collection perspective, this information would be both hard to collect and not substantively very useful.
Administrators and owners of the account, however, have much deeper visibility into their organization’s usage of the platform. An administrator can view monthly reports on every Zoom meeting that has occurred, regardless of whether the meeting was recorded. Under the Reports tab, and then under Usage Reports, the Administrator can view and export daily usage reports that identify the number of new users, meetings, participants, and total of meeting minutes for each day. They can also drill down further for reports on their Active hosts and export a meeting report for any 30-day period of all the meetings that an organization has conducted over Zoom.
On this report is some particularly valuable information including the topic of the meeting, meeting ID, the user who set up the meeting, the email of that user, department, group, creation of the meeting time, start and end time of the meeting, duration of the meeting, the name and email addresses of the attendees, join time and leave time for each participant, along with duration. Administrators are also able to export reports about inactive users, upcoming events, meeting registration or poll reports, and an overview of the cloud recording storage capacity. These reports can be retrieved for the previous twelve months limited by a 30-day search range. The reports are exported as CSVs. The only way for an administrator or owner to delete the usage activity is to delete the user. Deleting a user will permanently remove the user, including their meetings and recordings from Zoom.
Although the information that is retained for non-recorded meetings is not as expansive as a recorded meeting would be, there are many situations in which the failure to retain this data could run counter to preservation obligations. Federal and most local rules of civil procedure allow discovery regarding any non-privileged information relevant and proportional to the needs of the case. Depending on the litigation, a spreadsheet outlining that certain people were attending certain meetings on certain dates could be relevant. Companies need to be cognizant of the way this information is being maintained, saved, and collected to ensure they can comply with discovery obligations later.
Zoom Meetings that Are RecordedZoom also allows for the recording of meetings, either locally to the computer or to the cloud. When a meeting is recorded, the following files are created: MP4 video file; M4A audio file; and a txt file of any chats that occurred during the meeting. Zoom also offers the ability to transcribe the meetings so you have a text record of what was said during the meeting. If you enable the audio transcript option under Cloud Recording, Zoom will automatically transcribe the audio of the meeting and include a separate .vtt text file. In addition to the data preserved for any meeting outlined above, these are additional data sources created by the Zoom meetings that are recorded. Zoom will retain the cloud recordings, including the files listed above, until the storage capacity of the account is exceeded. Administrators can access and preserve any cloud stored meetings. These meetings are located under the Account Management, Recording Management area of the Administrator profile. However, the administrator can only access the recordings that have been stored to the cloud.
Depending on the account settings, as determined by the administrator or owner of the account, individual users or participants are also able to locally store recorded copies of their meetings. This means that anyone who attends a meeting can keep a permanent copy of the meeting’s audio, video, and chat. From a discovery perspective, this is a data mapping nightmare. If you have a company with 50 people who are using Zoom on a daily basis to conduct business, and each one of those people is recording all their meetings locally, there are now 50 locations that could contain discoverable data. Picture the costs associated with collecting 50 different people’s local zoom recordings folder from their work or personal computer?
Companies should be proactively thinking about what types of meetings need to be recorded and providing constructive guidance to their employees. There are industries where there is a legal obligation to record transactions such as banking and publicly traded companies. There are industries where recording communications with clients can turn into an ethical morass, such as law firms or in-house counsel at a corporation. Obviously, there is no one size fits all approach to the duty to record or not. Another area to consider is whether you have employees that despite retention and compliance policies are still creating unauthorized recordings. If your company gets sued, and those recordings fall under the relevance and proportionality rules, how are you going to locate and preserve that information?
The major question that should be considered and outlined clearly in policies is the types of meetings that should be recorded. The second is when or if you should delete these recordings. If you hold a Zoom meeting where senior leadership is discussing the termination of an employee that could potentially turn litigious, are you under an obligation to record that because there is a reasonable anticipation of litigation and the duty to preserve applies? There is no clear-cut answer to that question as these cases have not yet been litigated. However, companies should be carefully considering how, when, and why they deploy the recording function.
From an eDiscovery perspective, the Zoom recordings create an expensive proposition. Consider the example outlined above, if you have 50 relevant recordings and they are all located on each person’s individual computer, the company must then go and collect and process all of these files into a platform so they can review. Video and audio files typically are very large file sizes which makes the hosting of this data expensive. Complicating matters further, if a user does not opt for a transcript of the meeting, the video and audio files require significant customization to be searchable. How will a company know if a specific meeting is subject to a legal hold if you can’t text search the content of that meeting?
Best Practices and ConsiderationsNext, we want to outline some best practices and considerations surrounding the use of Zoom in a business context. Companies should, if they have not already, be drafting and implementing policies regarding the usage of Zoom. These policies should encompass when and how Zoom should be used, when the meetings should be recorded, and where the recordings should be stored. Companies should also be authorizing the Zoom administrators to create system wide permission settings to ensure that the data they retain is contained in one central repository. Employees should not be able to save locally, rather a universal save to the cloud requirement should be enforced. An administrator can enforce company-wide objectives for all users that require how and when they record and where that recording is stored. As administrators can also delete recordings on the cloud, they should be provided with clear instruction of what should be saved and what can be deleted. This way companies can easily identify and collect potentially discoverable information.
Administrators should be cognizant of the timelines for deletion previously outlined, and ensure they download any available reports or recordings monthly. They should also be aware of the storage capacity in Zoom so potentially relevant data is not accidentally lost. It would also be beneficial for companies to create an audit log for meetings that occur and ensure that employees update continuously. The audit log would contain the date, time, attendees, and what was discussed. Adding transcription to recorded meetings will also make the information far more searchable and functionally useable in the future.
As we have outlined, there are many business decisions that must be developed around the use of Zoom to collaborate. Companies should be proactively providing guidance to their workforce around the use of these types of applications. We can provide further guidance on best practices.
Be Sure to Follow Me for the Latest Content and Subscribe For the Latest Acorn Insights!