On November 9, 2020, the Federal Trade Commission (“FTC”) announced a settlement with Zoom Video Communications, Inc. (“Zoom”) to resolve allegations that the company misled customers about steps it had taken to protect consumer data and Zoom meeting content. With COVID-19 forcing nearly everyone to use videoconferencing for sensitive communications about business, health, and personal information, the consent agreement underscores the need for companies to carefully review how they represent their data security protections to the public in their privacy policies, marketing materials, and other manners of public statements.
The settlement arises out of an investigation by the FTC into claims that Zoom made about the security measures it had in place to protect user data and the confidentiality of Zoom meetings. In its complaint, the FTC alleged that Zoom, among other things, misled its customers by “touting the strength of the privacy and security measures it employs.” (FTC Compl.13). Specifically, the complaint alleged that Zoom left customers with a false sense of security about the privacy of their meetings by promising “end-to-end, 256 bit encryption,” in which no one but the sender and the recipient can access the content. The FTC alleged that Zoom instead retained access to the contents of Zoom meetings, making it a lower level of security than promised. Notably, the complaint also called out as misleading other language used by Zoom, like many other companies, in its privacy policy and on its website, including seemingly innocuous statements that Zoom takes “security seriously,” that it “places privacy and security as the highest priority,” and that it “is committed to protecting your privacy.”
Under the consent order, Zoom is required to establish and implement a comprehensive security program aimed at addressing the issues cited by the FTC. Among other things, Zoom will be required to implement safeguards like multi-factor authentication in order to prevent unauthorized access of its network, as well as review any software updates for security flaws. The consent order also requires that, for the next twenty years, Zoom undergo an independent audit of its information security program every two years and provide to the FTC certain regular compliance and incident reports. While there is no monetary fine in the consent order, the FTC is empowered to seek civil penalties for violations of the order in the future.
The FTC voted 3-2 to accept the consent agreement, with dissenting statements written by Commissioners Rohit Chopra and Rebecca Kelly Slaughter. Of particular note, both dissents advocated for a stricter approach, contending that the proposed consent agreement was too lenient because it included “no help for affected parties, no money, and no other meaningful accountability.” (Dissenting Statement of Commissioner Rohit Chopra). The positions taken by the dissenting commissioners could signal that more aggressive enforcement is not off the table for the FTC going forward, particularly if there is a change in the makeup of the Commission or the agency’s priorities under a new administration.
In light of these statements and the allegations brought against Zoom, companies should use caution when describing their security measures to customers and avoid any misrepresentations, bearing in mind that even language that implies heightened security, including statements about how highly the company values or prioritizes privacy, can be construed as misleading if flaws are discovered in the future.
