Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

FTC Settlement with Zoom Concerning Alleged Data-Security Lapses

Share

On November 9, 2020, the United States Federal Trade Commission (FTC) announced that it had entered into a consent agreement, subject to final approval, with videoconferencing company Zoom Video Communications, Inc. (Zoom). The consent agreement settles allegations that Zoom engaged in a series of deceptive and unfair practices that undermined the security of its users. The Commission voted 3–2 to accept the settlement, with Commissioners Chopra and Slaughter voting no and issuing dissenting statements asserting that the FTC’s action did not go far enough.

While the FTC generally does not identify what triggers a law enforcement action, there have been many news articles and a number of class actions filed in connection with Zoom’s data-security practices over the past six months that likely led to this action.

According to the complaint accompanying the consent agreement, the number of daily Zoom meetings grew from approximately 10 million in December 2019 to 300 million in April 2020. Zoom allows users to have one-on-one and group meetings, and users can also chat with others in the meeting, share their screens, and record videoconferences, among other things. Given the sensitive information that is often shared during a Zoom meeting—such as financial information, health information, proprietary business information, and trade secrets—appropriate data security is critical.

According to the FTC’s complaint, Zoom made numerous prominent representations touting the strength of its privacy and security measures employed to protect users’ personal information. These representations included claims relating to end-to-end encryption, as well as claims regarding the level of encryption. In addition, the complaint alleged that Zoom made deceptive claims regarding the secure storage for Zoom meeting recordings. The complaint also alleged that Zoom compromised the security of some users when it installed software called a ZoomOpener web server, which allowed Zoom to automatically launch and have a user join a meeting by bypassing an Apple Safari browser safeguard, which would have provided users with a warning box prior to launching the Zoom app.

The proposed settlement is consistent with many of the FTC’s recent data-security settlements and includes several of the newer provisions designed to strengthen such settlements. Specifically, the proposed settlement prohibits Zoom from misrepresenting its privacy and security practices in the future and requires Zoom to do the following:

  • Establish, implement, and maintain a comprehensive information security program that protects the security, confidentiality, and integrity of covered information, such as:
    • Security review for all new software
    • A vulnerability-management program for its internal networks
    • Security training for employees
    • Inventorying personal information stored in systems
    • Implementing data-deletion policies and other specific security measures, such as proper network segmentation and remote-access authentication
  • Obtain an initial security assessment and biennial data-security assessments for twenty years from an independent-third party Accessor.
  • Submit an annual certification from a senior corporate manager that it has implemented the requirements of this order.

Submit a report to the FTC upon the discovery of any covered incident. A covered incident is defined as an incident in which personal information is accessed or acquired without authorization and that requires reporting to any government entity.

As with a number of high-profile privacy or data-security settlements, the FTC’s Commissioners issued several separate statements expressing their views and their visions for the FTC’s privacy and data security program.

Notably, Commissioner Chopra issued a nine-page dissenting statement expressing concern with companies that, in the interest of acting and growing quickly, engage in deceptive practices, which he believes harms consumers and competition. Commissioner Chopra criticized the consent agreement because in his view it does not help affected parties, it does not include a monetary penalty, and thus it does not provide for meaningful accountability for Zoom. Finally, Commissioner Chopra stated that he believes that the Zoom settlement undermines the Commission’s effort to receive more authority from Congress to protect personal information.

Commissioner Slaughter also dissented, focusing her dissenting statement on her belief that the Commission’s action does not more robustly address the associated privacy issues connected to Zoom’s actions. In addition, Commissioner Slaughter took issue with the settlement’s failure to provide recourse for consumers.

The majority, Chairman Simons and Commissioners Phillips and Wilson, issued a statement indicating that they felt that the proposed relief “appropriately addresses the conduct alleged in the complaint and is an effective, efficient resolution of this investigation.”

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

November 13, 2020
Written by: Discerning Data Editorial Board
Category: Cybersecurity, FTC
Tags: consumer privacy, data security, FTC, information security program

Post navigation

Previous Previous post: European Data Protection Board Issues New Recommendations for International Data Transfers: Essential Guarantees, Supplemental Measures, and False Warrant Canaries
Next Next post: Faegre Drinker on Law and Technology Podcast: Exploring the New York SHIELD Act

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT