The Federal Trade Commission (FTC) on November 9, 2020  settled with Zoom Video Communications, Inc. (Zoom) over the company's problematic approach to cybersecurity dating back to at least 2016. The FTC settlement provide a useful roadmap for other companies, established ones and start-ups, to avoid running into issues with the FTC or other government regulators. As part of the settlement, the FTC is requiring Zoom to establish and implement a comprehensive security program, correct misrepresentations about its privacy and security practices, enlist an independent third party to conduct biennial security program assessments, and notify the FTC if it experiences a data breach. The data security requirements in the settlement, discussed below, scope a roadmap to implement reasonable data security practices and avoid costly government investigations.

A False Sense of Security

Between December 2019 and April 2020, the number of daily Zoom meeting participants exploded from 10 million to 300 million, and many people and companies now use Zoom to conduct business meetings and discuss sensitive financial and trade information. In response to the COVID-19 pandemic, Zoom is also used to conduct online learning, telehealth sessions, and substance abuse group therapy in which participants often discuss sensitive information.

In its complaint, the FTC alleged that Zoom gave users a false sense of security around sensitive information by repeatedly claiming on its website, applications, and in other publications that it deployed end-to-end, 256-bit encryption to secure live meetings and store recorded meetings, when it actually failed to implement end-to-end encryption, used a lower (128-bit) encryption level, and left meetings stored unencrypted on its servers for up to 60 days. (End-to-end encryption means only the sender and the recipient can read the data transmitted. Without it, platform providers like Zoom can read the transmitted content, too.) The FTC also cited several other key security failures, including Zoom's failure to:  

  • train employees on secure software development;
  • test, audit, assess, or review its applications for security vulnerabilities;
  • monitor service providers who have access to its network;
  • secure remote access to its networks and systems through multi-factor authentication;
  • safeguard against anomalous activity and/or cybersecurity events;
  • implement systematic incident response procedures;
  • implement a systematic process for inventorying, classifying, and deleting user data stored on its network; and
  • timely patch software in its commercial environment.

The FTC also alleged that Zoom secretly installed the "ZoomOpener" software, which circumvented an Apple Safari browser safeguard that protected Mac users from common types of malware. According to the complaint, the software remained even after users deleted the Zoom app and would frequently reinstall without user action. The FTC deemed this practice "deceptive" because Zoom did not disclose that an application update would install the ZoomOpener and circumvent this safeguard.

The Settlement

To remedy its past security failures, Zoom must implement a robust information security program, hire an independent third party to perform biennial assessments of the company's practices, and annually report to the FTC its compliance efforts in detail. Although these settlement requirements are common, Zoom has specific requirements with respect to the information security program that are less typical. For example, Zoom must implement a security review by Zoom Security Personnel of all new software or software updates prior to release; consult with, and seek guidance from, independent, third-party experts on data protection when updating the program; and develop policies and procedures that will determine whether new software or software updates are inherently designed to circumvent or bypass third-party security features (such as the Apple Safari browser feature Zoom circumvented with the "ZoomOpener" software). The settlement order is effective for twenty (20) years.

"An Unfortunate Formula"

Two dissenting Commissioners—Rohit Chopra and Rebecca Kelly Slaughter—argued the settlement order did not adequately remedy the harm posed to consumers. In his  dissenting opinion, Commr. Chopra called the settlement part of "an unfortunate FTC formula" that provides no help for affected users, and he called on his fellow Commissioners to "change course." He specifically pointed to the FTC's duty to limit a company's temptation to deceive, a temptation which is even stronger in the midst of a pandemic, as companies in the videoconferencing space compete within "a potential gold mine." Asserting that Zoom "cashed in" on the pandemic and that they received a "windfall," Commr. Chopra argued that emerging tech giants shouldn't "expand[] their empires through deception," and he called on the FTC to restore its credibility as a law enforcement agency by taking steps such as strengthening orders to emphasize help for consumers and small businesses, diversify FTC investigative teams to increase technical rigor, and restate existing legal precedent into clear rules of the road and trigger monetary remedies for violations.

Commr. Slaughter joined Commr. Chopra's call to reimagine the FTC's investigatory and enforcement powers, but she also highlighted a clear distinction between data security and privacy concerns and claimed that Zoom should be accountable for violating consumer privacy, too. She pointed out that the settlement does not even mention consumer privacy and cited the majority's failure to understand that "the reason customers care about security measures . . . is that they value their privacy."

The two dissenting opinions are noteworthy because each reflects a common perception that FTC settlement orders amount to little more than a paper exercise for companies who have allegedly committed serious violations of consumer privacy and data security. But with two FTC Commissioners publicly criticizing the FTC's formulaic enforcement actions, this perception has been made explicit by those tasked with penalizing deceptive companies, and it may bode more active enforcement in 2021. And with California recently passing a comprehensive consumer privacy law (and with politicians on both sides of the aisle introducing draft legislation for a federal consumer privacy law over the last year), companies should recognize the changing ethos toward data security in privacy in all industries.

Key Takeaways

For start-ups rapidly building software and launching applications, data security and privacy must be a priority from the outset. Developing complex security infrastructure to protect both the products and the consumers may seem too costly at the beginning for some companies starting on shoestring budgets, but failing to do so early on could cost you even more money down the road—a lesson Zoom learned the hard way. Here are five key takeaways from the Zoom settlement for companies in the early stages of their development:  

  1. Foster a culture that prioritizes data security and privacy. A robust data security and privacy program is not only about the technology; it requires trained employees who understand and appreciate the importance of data protection and consumer privacy.
  1. Implement privacy by design.  "Privacy by design" means that all elements of your company—from information technology to human resources—is built with data security and privacy at their core.
  1. Develop a tested incident response plan.  Even the strongest technical security measures fail. Ensure key stakeholders are well-versed in the short- and long-term procedures to respond to and mitigate the harm of a security incident.
  1. Perform periodic risk assessments and penetration testing.  Risk assessments should be performed at least annually, and penetration testing should be performed as often as is reasonable for your company.
  1. Prioritize protecting high risk information systems.  After performing a data mapping exercise to determine what types of personal information your company collects and processes, try to implement the strongest technical security measures—such as multi-factor authentication, encryption at rest and in transit, and detection response—around those information systems.

Although implementing a security program and conducting biennial assessments for 20 years may seem like a slap on the wrist, consumer privacy is becoming a cherished—and, now, legally protected—principle, and it is reasonable to expect a change in FTC enforcement in light of the Zoom decision that many privacy advocates—and two FTC Commissioners—found inadequate.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.