On November 9, 2020, the Federal Trade Commission (“FTC”) announced a settlement with Zoom Video Communications, Inc. (“Zoom”) to resolve allegations that the company misled customers about steps it had taken to protect consumer data and Zoom meeting content. With COVID-19 forcing nearly everyone to use videoconferencing for sensitive communications about business, health, and personal information, the consent agreement underscores the need for companies to carefully review how they represent their data security protections to the public in their privacy policies, marketing materials, and other manners of public statements.
Under the consent order, Zoom is required to establish and implement a comprehensive security program aimed at addressing the issues cited by the FTC. Among other things, Zoom will be required to implement safeguards like multi-factor authentication in order to prevent unauthorized access of its network, as well as review any software updates for security flaws. The consent order also requires that, for the next twenty years, Zoom undergo an independent audit of its information security program every two years and provide to the FTC certain regular compliance and incident reports. While there is no monetary fine in the consent order, the FTC is empowered to seek civil penalties for violations of the order in the future.
The FTC voted 3-2 to accept the consent agreement, with dissenting statements written by Commissioners Rohit Chopra and Rebecca Kelly Slaughter. Of particular note, both dissents advocated for a stricter approach, contending that the proposed consent agreement was too lenient because it included “no help for affected parties, no money, and no other meaningful accountability.” (Dissenting Statement of Commissioner Rohit Chopra). The positions taken by the dissenting commissioners could signal that more aggressive enforcement is not off the table for the FTC going forward, particularly if there is a change in the makeup of the Commission or the agency’s priorities under a new administration.
In light of these statements and the allegations brought against Zoom, companies should use caution when describing their security measures to customers and avoid any misrepresentations, bearing in mind that even language that implies heightened security, including statements about how highly the company values or prioritizes privacy, can be construed as misleading if flaws are discovered in the future.Goodwin's long-standing Privacy & Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients' data protection needs. Our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing and protection of their most sensitive information. Our senior lawyers include four Legal 500 recommended lawyers and a “Next Generation Partner” in Cyber Law and Data Breach Response, several former federal prosecutors, and multiple FTC, GDPR, CCPA, HIPAA, GLBA and COPPA experts. We deliver practical solutions to complex regulatory challenges and design strategic privacy, information security and compliance programs for startups, global enterprises, and everything in between. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks and advise on over 700 public and private transactions per year.