How do I secure and maintain privacy in a remote access mediation?

How do I secure and maintain privacy in a remote access mediation?

Produced in partnership with Chris Fitton, mediator of IPOS Mediation

Keeping your mediation discussions confidential is of course extremely important, not just from disclosure to the other side but also confidential from third parties. Here are some tips on how that risk can be controlled in video conference (VC) mediations: 

Controlling who attends the VC mediation:

• have a meeting passcode—one-click meeting invitations can be copied to third parties, so having a meeting passcode adds a layer of authentication. Requiring a passcode is a setting enabled by the host, usually the mediator

• use the ‘waiting room’—if the VC platform allows it, the host may enable a so-called waiting room function, which ‘holds’ meeting invitees in a separate space before he/she admits them individually to the meeting proper

• lock the meeting—after the host has started a VC session, he/she can lock the meeting, such that newcomers are unable to join late even if they have the invite and passcode

• mute or remove participants—the host can centrally manage all participants, so if an uninvited guest somehow got into the meeting, he/she can easily be muted for the remainder of that meeting or expelled

• disable participant privileges—functions like screenshare, whiteboard annotation, personal virtual backgrounds and chat can all be disabled by the host, if considered a threat to privacy. For obvious reasons, locking meetings, muting or removing participants and disabling participant privileges are only likely to be relevant for public/large meetings, rather than VC mediations

• hidden attendees and secret recordings—because participants in a VC mediation control which way their webcams point there is a risk they may have someone else in the room, whose ability to see/overhea  the mediation has not been disclosed or consented to. There is also a risk (present at in-person mediations too) that the discussions are being recorded without disclosure or consent. Although the recording function within the VC platform will have been disabled by the mediator, that will not preclude covert recording by an attendee at home, perhaps using an out-of-shot iPhone. In practice, it will be impossible to manage these risks beyond ensuring the mediation agreement makes clear such behaviours would be a breach, and ensure the mediator and lawyers emphasise that to clients/other attendees. Parties may take some small comfort from the likelihood that what is overheard or secretly recorded will be caught by without prejudice privilege or be otherwise inadmissible in the present (or any other) court proceedings


Security and privacy


This is a complex area. By way of high-level summary:


The standards to which data (including the video, audio and chat streams, and other data, such as shared documents) are protected depends on the respective VC platform provider, and there is little individual users can do to alter that, other than avoid using that platform. The result is that law firm IT departments must decide for themselves whether or not a particular platform is sufficiently secure, doing their own risk management assessment and research. As a minimum, they should have regard to the UK National Cyber Security Centre’s Cloud Security Guidance and SaaS Security Principles, requiring, among many other matters, compliance with TLS1.2.


‘End-to-end encryption’ means data is encrypted in transit and can be decrypted only by the meeting participants. This can usually only be guaranteed if the users are attending the mediation by using the respective app (whether downloaded onto his/her desktop or mobile device), rather than, for example, calling into a meeting with a standard phone line or third party conferencing hardware (where the link from the device to the VC platform provider’s system is out of that provider’s control). To reduce part of the risk at least, it may be prudent to have VC mediation attendees join only via the downloaded desktop client or mobile app.


Law firm compliance officers will want to check the VC provider’s privacy policy to understand, for example, who the provider shares their/their clients’ personal information with and how it complies with Regulation (EU) 2016/679, General Data Protection Regulation (GDPR) (including when it comes to the geographical location of the VC provider’s data centres). It may be possible to have some control over this—for example, the VC provider Zoom now allows hosts to direct that data in their calls is not processed at data centres located in, for example, China.


Related Articles:
Latest Articles: