Published on December 28, 2020
This past November, the Federal Trade Commission (“FTC”), often referred to as “America’s top cop on the privacy beat,” entered into a settlement agreement with Wall Street darling Zoom Video Communications, Inc. The FTC set its sights on Zoom earlier this year complaining that Zoom engaged in “Deceptive and Unfair Privacy and Security Practices.” More specifically, the FTC alleged:
The FTC challenged Zoom’s above assertion, alleging that Zoom falsely claimed to use 256-bit end-to-end encryption on its Zoom meetings platform when, in fact, Zoom only applied this heightened level of encryption to meetings hosted within Zoom’s “Connecter” product. All other meetings were encrypted with a lower and much less secured (128-bit) encryption. Some recorded meetings were even stored unencrypted on Zoom servers for up to 60 days. According to the FTC, Zoom had access to the cryptographic keys of some of its servers, even some sited in China, which would allow Zoom to access the content of its customers’ recorded Zoom meetings. Zoom’s failure to implement end-to-end protection left meeting data accessible to platform providers like Zoom in addition to the senders and intended recipients of such data.
The FTC further alleged that Zoom failed to consistently safeguard against data security issues on its platform, conduct routine checks of software applications for security vulnerabilities and abnormal activity, and to implement streamlined incident response procedures. Finally, the FTC deemed Zoom’s undisclosed installation of the ZoomOpener software on Apple computers, an installation which circumvented Apple’s malware protection safeguard in Safari browsers, a deceptive and unethical practice due to lack of customer disclosure.
In accepting a settlement, Zoom agreed to comply with a number of FTC demands. Provision I of the settlement prohibits Zoom from “misrepresent[ing] in any manner, expressly or by implication” its data collection activities, security features, user controls, and the extent to which Zoom maintains the confidentiality of secure information.
Zoom must further “establish and implement a comprehensive Information Security Program” within 60 days of the settlement. Such a program, pursuant to Provision II, must implement and document important safeguards for data security, including a comprehensive security review by Zoom personnel, a vulnerability management program (which must include quarterly vulnerability scans), secure login enhancements, and clear incident response protocol. Furthermore, Zoom is ordered to conduct routine testing of its security safeguards.
In Provision III, the FTC orders Zoom to obtain initial and biennial third-party assessments of its Information Security Program to determine Zoom’s adherence to the requirements enumerated in Provision II. Such assessments must “identify any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program” and denote the specific evidence used in reaching these conclusions.
Other key provisions (IV and V respectively) order Zoom to cooperate with third party assessors and annual certification from Zoom’s senior corporate management. Provision VI of the settlement further requires Zoom to report covered incidents in a timely manner (within 30 days of the incident) and fully disclose all relevant details.
Notably, FTC Commissioners Rohit Chopra and Rebecca Kelly Slaughter dissented to the settlement, arguing it did not provide consumers harmed by Zoom’s data security issues with a sufficient remedy. Both dissenting Commissioners called for the FTC to restore its credibility as a law enforcement agency and to strengthen measures that will discourage companies handling sensitive customer data from engaging in deceptive practices. Commissioner Slaughter notably pointed out that Zoom violated consumer privacy in addition to broader data security requirements and that the company should be held accountable as such.
The Zoom settlement provides an important learning opportunity for companies across the globe. First, companies must give priority to developing a robust data privacy program and training employees to fully understand the importance of complying with such programs. Second, companies must deploy resources capable of adequately responding to security breaches such as breach detection technologies and related incident response procedures that can detect, eradicate, and remediate data security incidents in a timely and effective manner. Third, companies should consider working with third party security experts to conduct routine data security checks to search for and detect security vulnerabilities before malicious or negligent actors can cause significant harm to company data.
Despite the arguably light consequences of Zoom’s FTC settlement, the dissenting Commissioners’ arguments, and popular sentiment surrounding the importance of consumer data privacy indicate that future data security violations may face harsher sanctions. Thus, it is more important than ever for companies to protect their users’ data in order to maintain a secure network, thereby building consumer trust and achieving regulatory compliance.
The first step to building an effective data protection and privacy program is accurate and comprehensive Data Intelligence. This means locating, identifying, and cataloging organizational data. Even the largest and most profitable companies often struggle with understanding what type of data they hold and where that data sits.
For instance, personally identifiable information (“PII”), electronic personal health information, and sensitive data often sit in and flow through hundreds, if not thousands, of both structured and unstructured data stores. Moreover, original data is often duplicated many times over and stored in different data bases. Determining data linage is almost impossible without the benefit of the proper technology.
To effectively protect what data an enterprise has, it must first know what data it holds.
The second critical step is accurately categorizing organizational data. For instance, under the General Data Protection Regulation (“GDPR”), “sensitive” data must be treated differently than even PII.
The third crucial step is risk identification and reduction strategy. Depending on the type and location, certain data privacy and protection laws should dictate the enterprise risk strategy. The company’s Information Security and Privacy Program should be premised upon all governing rules, regulations, and laws to ensure not only data protection, but also legal compliance.
Our data protection and privacy experts can assist any enterprise, no matter its industry or location, with building and maintaining an effective and sustainable data protection and privacy program. We begin with a tailored and structured assessment process. The format of the assessment is dependent on the security and privacy laws and regulations relevant to our client. Our team, using our state-of-the-art assessment platform will handle the entire process from identifying relevant stakeholders, disseminating our electronic assessments, conducting interviews, gathering all necessary documentation and artifacts, and assessing responses. From there, we provide our client with an actionable plan and timeline for program build. We also have the people, processes, and technology to build, operate, and maintain data protection and privacy programs freeing our clients to focus on their core business.
Please visit us at www.advisori.com to learn more and to speak with our data protection and privacy experts.