Zoom Out: An Overview
The COVID-19 pandemic has prompted an unprecedented uptick in remote work and the need to stay connected from home. During this time, video calling and conferencing has become significantly more popular, allowing people to work, gather and stay in touch virtually. Zoom Video Communications (“Zoom”), like many of the leading platforms for video communication, has seen a significant increase in its user base during the pandemic.
On November 9, 2020, the U.S. Federal Trade Commission (“FTC”) announced that Zoom has agreed to implement a robust information security program to settle allegations that the video conferencing provider deceived users about the level of security for the Zoom meeting platform and unfairly undermined a browser security feature. Additionally, the settlement contains a prohibition on privacy and security misrepresentations and requires other detailed and specific relief to protect Zoom’s user base, including:
- Zoom personnel will be required to review any software updates for security flaws and ensure the updates will not hamper third-party security features;
- Zoom must obtain biennial assessments of its security program by an independent third party; and
- Zoom must notify the FTC if it experiences a data breach.
Zoom In: Zigging and Zagging from Privacy and Security Promises
Unfulfilled Encryption Promises. The FTC determined that Zoom made three types of deceptive representations regarding the strength of its security practices, which were false and misleading for consumers under Section 5(a) of the FTC Act:
- Second, Zoom represented that it encrypted all Zoom meetings with AES 256-bit encryption, but in fact used a weaker form of encryption (AES 128-bit).
- Third, Zoom claimed that it stored all meeting recordings on the secure, encrypted Zoom cloud right after a meeting ended, but in fact the recordings were kept unencrypted for 60 days on Zoom’s servers before being transferred to the Zoom secure cloud.
The FTC concluded that users relied on Zoom’s false statements regarding its enhanced security practices to choose and buy Zoom as a videoconferencing platform. This choice left consumers particularly vulnerable due to the stay-at-home restrictions prompted by the COVID-19 pandemic, which meant that users were more likely to share sensitive information via Zoom meetings, such as health data.
Inadequate Software Installation Disclosures and Authorization. The FTC also determined that Zoom engaged in unfair practices when it “secretly” installed a ZoomOpener web server as part of a manual update for its Mac desktop application in July 2018 without adequate notice or user consent. The ZoomOpener software allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware. ZoomOpener:
- automatically joined users to Zoom meetings without any prompt, with the user’s camera automatically activated;
- automatically reinstalled the Zoom app on a user’s computer without notice to the user; and
- introduced two security vulnerabilities by exposing users to a potential Remote Control Execution attack and to a local denial-of-service attack by forcing the Zoom app to open over and over again without giving the user a chance to stop it.
The FTC viewed Zoom’s installation of ZoomOpener as unfair because it caused substantial injury to consumers that could not be reasonably avoided due to ZoomOpener’s hidden features (features that a Zoom user was not aware of) and could not reasonably object to.
Avoid the Doom: Key Takeaways and Action Items from the Case on Zoom
The FTC’s settlement with Zoom offers several important reminders regarding key privacy and security controls for companies that collect and process a high volume of personal information, whether in writing or mostly in audio/visual format, and for whom data security is a key product differentiator that consumers rely upon.
Takeaway 1: Don’t make gratuitous privacy and security promises; disclosures must be clear and accurate and align with practices. The FTC alleged that Zoom “misled users” regarding the use and strength of its encryption, as the company’s statements in its “App, on its website, in its Security Guides, in its HIPAA Compliance Guide, in blog posts, and in direct communications with customers” did not match the company’s actual practices.
- Industry Practice – Differentiate between privacy disclosures and marketing statements. There is a time and place for each, but they should not be confused. Refrain from putting grandiose and potentially hyperbolic adjectives in your privacy disclosures and statements as these are common fodder for FTC cases on false, misleading and/or unfair and deceptive practices (e.g., “world-class information security” and “we ensure that only authorized individuals access consumer information”).
Takeaway 2: Disclose on time, every time. As privacy regulations require that notice be provided “at or before the point of collection” (or similar), companies are increasingly relying on just-in-time disclosures and authorization prompts in mobile applications and websites upon material events involving the processing of user personal information, such as reinstallation of an application or the sharing of personal information with third parties. Some of these disclosures are the result of legal or regulatory requirements, while others are the result of company-driven initiatives, such as Apple’s iOS 14 ad tracking transparency (ATT) framework. (See our recent alert “Apple’s iOS 14 Privacy Changes: Five Practical Tips for App Developers” for more information on the potential impact of this change by Apple.)
- Industry Practice – Walk a mile in their digital shoes. As part of the initial drafting and quarterly review processes, many companies are putting themselves in the position of the consumer, conducting through user experience simulations and reviews with counsel to determine when and where just-in-time notices are appropriate or incorporating such reviews into the SDLC as part of privacy-by-design.
- Industry Practice – Don’t be creepy. In the age of spyware and increased hacking, mobile apps, software, and even cookies and other trackers are a risk to consumers. Companies are increasingly making concerted efforts to ensure adequate disclosure of installations, updates, etc. and obtain consent or user authorization for any change in the processing of the consumer’s personal information.
Takeaway 3: Expect heightened focus on security enforcement over the coming years. The Zoom settlement underscores the FTC’s commitment to ensuring comprehensive security for personal information, which we expect will continue and likely intensify as the Democratic party takes control of the FTC under a Biden administration. Further, with the recent commencement of California Consumer Privacy Act enforcement by the California Attorney General as of July 1, 2020, many companies are formalizing their approach to security and aligning their program with one or more defensible standards or frameworks. This can help support a safe harbor defense argument against potential future claims in the event of a data breach.
- Industry Practice – Undertake a security health check. Evaluate whether your security program and controls are comprehensive, support a claim that you have implemented and maintain “reasonable security.” Regardless of the framework that your IT group uses to operate and manage security (e.g., International Organization for Standardization (ISO) 27001, Payment Card Industry Data Security Standard (PCI DSS), National Institute of Standards and Technology (NIST) and others), it is increasingly a practice to map controls from those standards to the increasing regulatory requirements, the NIST cybersecurity framework and/or the 20 Center for Internet Security Controls (CIS Controls), identified by the California State Attorney General as the “minimum level of information security that all organizations that collect or maintain personal information should meet.”
- Note – Free Tool: Fenwick has developed a template based on the CIS 20 to help with this evaluation and identify gaps to be addressed. Please contact us if you would like more information and support with this evaluation. Our previous alert, “Let's Be Reasonable: Clearer Guidance for Minimum Information Security Standards,” also provides additional information on the standards for reasonable security.
- Industry Practice – Conduct testing, testing, 1…2…3. Implement periodic review and testing of your security controls to confirm their design and effectiveness (one of the overarching objectives of the independent assessments required biennially by the FTC for companies under Consent Orders). Such reviews and testing can be conducted internally or using a qualified third party. Through more regular testing, Zoom may have identified the discrepancy between its claims of immediate encryption of recorded meetings and the actual practice of storing such recordings unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.