On Monday, November 9, 2020, the U.S. Federal Trade Commission announced a proposed settlement with Zoom Video Communications, Inc. (“Zoom”), a video conferencing provider, regarding allegations that Zoom misrepresented its data security practices to users and designed its product to circumvent certain embedded security features of third-party software. The proposed settlement requires Zoom to undertake a range of specific remedial measures related to its data security practices. It also imposes multiple layers of reporting and certification requirements.
The requirements imposed in the Zoom settlement follow the approach seen in other recent data security consent decrees. Consistent with a January 2020 Commission statement that announced the FTC’s efforts to strengthen injunctive relief imposed in consent agreements, the Zoom agreement mandates maintenance of an information security program with features to address the alleged data security violations, comprehensive reporting on the company’s compliance with its information security program by a third-party assessor, and compliance certifications executed by a senior executive. For FTC Chairman Joseph J. Simons and Commissioners Noah Joshua Phillips and Christine S. Wilson, who issued a majority statement approving the settlement, those measures, combined with an injunction against misrepresentations to users, were sufficient to “ensure that Zoom will prioritize consumers’ privacy and security.” Commissioners Rohit Chopra and Rebecca Kelly Slaughter, however, issued separate dissenting statements expressing their views that the proposed settlement fell short in providing redress to users allegedly misled by Zoom’s practices and imposing meaningful accountability on the company.
The Complaint and Settlement Order
The FTC complaint alleges that Zoom engaged in multiple unfair or deceptive practices. First, the FTC alleged that the company misrepresented the availability of end-to-end encryption for videoconferences that were not hosted on a customer’s own servers and encryption of recorded meetings during storage, as well as the security level of its encryption standards used to protect users’ video communications. The FTC also alleged in its complaint that the company circumvented a security safeguard built into Apple’s Safari browser that introduced vulnerabilities to users’ systems and failed to disclose its deployment of that bypass.
As part of the settlement, Zoom will be required to implement a number of specific changes to enhance its security program, obtain an independent third-party assessment of its information security program biannually for twenty years, and provide annual certifications to the FTC on its compliance with the settlement. The company is also specifically enjoined from making any misrepresentations about its data security features.
FTC Continues to Mandate Specific Data Practices Tailored to the Violation. This settlement continues an ongoing practice of mandating specific remedial data security measures, in the wake of the Eleventh Circuit’s 2018 decision that the FTC cannot enforce vague settlement orders that provide limited direction on how data security programs should be designed to protect confidential information. Here, the settlement’s security program requirements are tailored to the alleged violations, and include establishing a mechanism for conducting a pre-release security review of its software updates to detect measures that would bypass security features in third-party software, implementing a program to detect and remediate critical vulnerabilities in its networks, and providing training on “secure software development principles” to product developers, designers, and engineers.
Commissioner Dissents Signal Interest in Stronger Enforcement. Commissioners Rohit Chopra and Rebecca Kelly Slaughter issued separate dissenting statements that raised several different concerns. Commissioner Chopra expressed concern that the settlement lacked provisions for meaningful relief for those users harmed by Zoom’s misrepresentations, such as contractual releases, refunds, or credits for small businesses who purchased Zoom services based on false representations; failed to mandate notice to affected users; and lacked monetary penalties. More broadly, he criticized as timid the agency’s overall approach to oversight of companies operating in the digital market. He called on the Commission to conduct more proactive and comprehensive investigations using interdisciplinary teams and technologists, and increase collaboration with other international, federal, and state partners where appropriate. In addition, he advocated using the agency’s authority under Section 18 to codify precedent from prior data protection orders and case law into a rule that would provide guidance about what constitutes unfair or deceptive practices while simultaneously enabling the FTC to seek monetary relief for violations.
Commissioner Slaughter’s dissenting statement criticized the settlement’s exclusive focus on procedures that protect user security and not user privacy, remarking that “when we solve only for one we fail to secure either.” She also noted the lack of recourse for paying customers allegedly misled by Zoom’s statements and explicitly joined Commissioner Chopra’s call for strengthening the Commission’s enforcement efforts in the technology sphere.