On November 9, 2020, the United States Federal Trade Commission (FTC) announced that it had entered into a consent agreement, subject to final approval, with videoconferencing company Zoom Video Communications, Inc. (Zoom). The consent agreement settles allegations that Zoom engaged in a series of deceptive and unfair practices that undermined the security of its users. The Commission voted 3–2 to accept the settlement, with Commissioners Chopra and Slaughter voting no and issuing dissenting statements asserting that the FTC’s action did not go far enough.
While the FTC generally does not identify what triggers a law enforcement action, there have been many news articles and a number of class actions filed in connection with Zoom’s data-security practices over the past six months that likely led to this action.
According to the complaint accompanying the consent agreement, the number of daily Zoom meetings grew from approximately 10 million in December 2019 to 300 million in April 2020. Zoom allows users to have one-on-one and group meetings, and users can also chat with others in the meeting, share their screens, and record videoconferences, among other things. Given the sensitive information that is often shared during a Zoom meeting—such as financial information, health information, proprietary business information, and trade secrets—appropriate data security is critical.
According to the FTC’s complaint, Zoom made numerous prominent representations touting the strength of its privacy and security measures employed to protect users’ personal information. These representations included claims relating to end-to-end encryption, as well as claims regarding the level of encryption. In addition, the complaint alleged that Zoom made deceptive claims regarding the secure storage for Zoom meeting recordings. The complaint also alleged that Zoom compromised the security of some users when it installed software called a ZoomOpener web server, which allowed Zoom to automatically launch and have a user join a meeting by bypassing an Apple Safari browser safeguard, which would have provided users with a warning box prior to launching the Zoom app.
The proposed settlement is consistent with many of the FTC’s recent data-security settlements and includes several of the newer provisions designed to strengthen such settlements. Specifically, the proposed settlement prohibits Zoom from misrepresenting its privacy and security practices in the future and requires Zoom to do the following:
- Establish, implement, and maintain a comprehensive information security program that protects the security, confidentiality, and integrity of covered information, such as:
- Security review for all new software
- A vulnerability-management program for its internal networks
- Security training for employees
- Inventorying personal information stored in systems
- Implementing data-deletion policies and other specific security measures, such as proper network segmentation and remote-access authentication
- Obtain an initial security assessment and biennial data-security assessments for twenty years from an independent-third party Accessor.
- Submit an annual certification from a senior corporate manager that it has implemented the requirements of this order.
Submit a report to the FTC upon the discovery of any covered incident. A covered incident is defined as an incident in which personal information is accessed or acquired without authorization and that requires reporting to any government entity.
As with a number of high-profile privacy or data-security settlements, the FTC’s Commissioners issued several separate statements expressing their views and their visions for the FTC’s privacy and data security program.
Notably, Commissioner Chopra issued a nine-page dissenting statement expressing concern with companies that, in the interest of acting and growing quickly, engage in deceptive practices, which he believes harms consumers and competition. Commissioner Chopra criticized the consent agreement because in his view it does not help affected parties, it does not include a monetary penalty, and thus it does not provide for meaningful accountability for Zoom. Finally, Commissioner Chopra stated that he believes that the Zoom settlement undermines the Commission’s effort to receive more authority from Congress to protect personal information.
Commissioner Slaughter also dissented, focusing her dissenting statement on her belief that the Commission’s action does not more robustly address the associated privacy issues connected to Zoom’s actions. In addition, Commissioner Slaughter took issue with the settlement’s failure to provide recourse for consumers.
The majority, Chairman Simons and Commissioners Phillips and Wilson, issued a statement indicating that they felt that the proposed relief “appropriately addresses the conduct alleged in the complaint and is an effective, efficient resolution of this investigation.”