On November 9, 2020, the Federal Trade Commission (“FTC”) announced a settlement with Zoom Video Communications, Inc. (“Zoom”) to resolve allegations that the company misled customers about steps it had taken to protect consumer data and Zoom meeting content. With COVID-19 forcing nearly everyone to use videoconferencing for sensitive communications about business, health, and personal information, the consent agreement underscores the need for companies to carefully review how they represent their data security protections to the public in their privacy policies, marketing materials, and other manners of public statements.
Under the consent order, Zoom is required to establish and implement a comprehensive security program aimed at addressing the issues cited by the FTC. Among other things, Zoom will be required to implement safeguards like multi-factor authentication in order to prevent unauthorized access of its network, as well as review any software updates for security flaws. The consent order also requires that, for the next twenty years, Zoom undergo an independent audit of its information security program every two years and provide to the FTC certain regular compliance and incident reports. While there is no monetary fine in the consent order, the FTC is empowered to seek civil penalties for violations of the order in the future.
The FTC voted 3-2 to accept the consent agreement, with dissenting statements written by Commissioners Rohit Chopra and Rebecca Kelly Slaughter. Of particular note, both dissents advocated for a stricter approach, contending that the proposed consent agreement was too lenient because it included “no help for affected parties, no money, and no other meaningful accountability.” (Dissenting Statement of Commissioner Rohit Chopra). The positions taken by the dissenting commissioners could signal that more aggressive enforcement is not off the table for the FTC going forward, particularly if there is a change in the makeup of the Commission or the agency’s priorities under a new administration.
In light of these statements and the allegations brought against Zoom, companies should use caution when describing their security measures to customers and avoid any misrepresentations, bearing in mind that even language that implies heightened security, including statements about how highly the company values or prioritizes privacy, can be construed as misleading if flaws are discovered in the future.