Securities Litigation: An Emerging Strategy to Hold Companies Accountable for Privacy Protections

A California federal judge rejected Zoom Video Communications, Inc.’s motion to dismiss securities fraud claims against it, and its CEO and CFO, for misrepresenting Zoom’s privacy protections. Although there have been a number of cases challenging inadequate privacy protections on consumer protection grounds in recent years, this decision shifts the spotlight to an additional front on which the battles for privacy protection may be fought:  the securities-litigation realm.

At issue were statements made by Zoom relating to the company’s privacy and encryption methods, including Zoom’s 2019 Registration Statement and Prospectus, which told investors the company offered “robust security capabilities, including end-to-end encryption.” Importantly, the prospectus was signed by Zoom’s CEO, Eric Yuan. The plaintiffs, a group of Zoom shareholders, brought suit arguing that end-to-end encryption means that only meeting participants and no other person, not even the platform provider, would be able to access the content. The complaint alleged that contrary to this statement, Zoom maintained access to the cryptographic keys that could allow it to access the unencrypted video and audio content of Zoom meetings.

The plaintiffs’ allegations are based on media reports of security issues relating to Zoom conferences early in the COVID-19 pandemic, as well as an April 2020 Zoom blog post in which Yuan stated that Zoom had “fallen short of the community’s  ̶ ̶  and our own  ̶ ̶  privacy and security expectations.”  In his post, Yuan linked to another Zoom executive’s post, which apologized for “incorrectly suggesting” that Zoom meetings used end-to-end encryption.

In their motion to dismiss, the defendants did not dispute that the company said it used end-to-end encryption.  Instead, they challenged plaintiffs’ falsity, scienter, and loss causation allegations – and all three attempts were rejected by the court.

First, as to falsity, the court did not buy the defendants’ argument that “end-to-end encryption” could have different meanings because a Zoom executive expressly acknowledged that the company had “incorrectly suggest[ed] that Zoom meetings were capable of using end-to-end encryption.”  Thus, the court found that the complaint did, in fact, plead the existence of materially false and misleading statements. The court also rejected the defendants’ argument that Yuan’s understanding of the term “end-to-end encryption” changed in a relevant way from the time he made the challenged representation to his later statements that Zoom’s usage was inconsistent with “the commonly accepted definition.” The court looked to Yuan’s advanced degree in engineering, his status as a “founding engineer” at WebEx, and that he had personally “led the effort to engineer Zoom Meetings’ platform and is named on several patents that specifically concern encryption techniques.”

Lastly, the court rebuffed the defendants’ attempt at undermining loss causation, finding that the plaintiffs had pled facts to plausibly suggest a causal connection between the defendants’ allegedly fraudulent conduct and the plaintiffs’ economic loss. In particular, the court referenced the decline in Zoom’s stock price shortly after defendants’ fraud was revealed to the market via media reports and Yuan’s blog post.

That said, the court dismissed the plaintiffs’ remaining claims, as they related to data privacy statements made by Zoom or, in general, by the “defendants,” unlike the specific encryption-related statement made by Yuan. The court found that the corporate-made statements did not rise to the level of an “exceptional case where a company’s public statements were so important and so dramatically false that they would create a strong inference that at least some corporate officials knew of the falsity upon publication.” Because those statements were not coupled with sufficient allegations of individual scienter, the court granted the defendants’ motion to dismiss those statements from the complaint.

© 2022 Proskauer Rose LLP.
For more articles about business litigation, visit the NLR Litigation section.

Potato, Potahto… Email, Slack

First came email.  Then came Slack, WhatsApp, Zoom, Teams, texts, and a host of social media platforms where we can communicate…in writing…and those communications are saved as electronically stored information (ESI).  “Collaboration software,” like Slack, Zoom, and Teams, is the newest eDiscovery challenge.  But the challenge lies in the preservation, capture, and review, as well as the analysis of proportionality, and not in the question of whether it is discoverable.

The United States District Court for the Central District of California recently ruled that Plaintiff’s Slack messages were both relevant and proportional to the needs of the case and ordered their production.  Benebone LLC v. Pet Qwerks, Inc., 2021 WL 831025 (2/18/21).  The main points of contention between Plaintiff and Defendant focused on the cost to extract, process, and review 30,000 Slack messages.

Although the Court described Slack as a relatively new communication tool, it was part of Plaintiff’s internal business communications and there was no real dispute that Plaintiff’s Slack messages were likely to contain relevant information.

On the topic of burden and proportionality to the needs of the case, the court held a (Zoom) hearing and determined that “requiring review and production of Slack messages by Benebone is generally comparable to requiring search and production of emails and is not unduly burdensome or disproportionate to the needs of this case.” Id. at *3.

One of the key takeaways from this case is to get an eDiscovery expert. Defendant’s expert testified that there are readily available third-party tools for collection and review of Slack and that searches of the data could be limited to certain Slack channels, users, or custodians (similar to focusing an email search on custodians and time frames).  Defendant’s estimate of cost for the project was vastly different than Plaintiff’s unsupported estimates ($22,000 compared to $110,000-$255,000).  To that end, Defendant’s expert proposed that contract attorneys could do first-level review at a rate of $40 an hour as opposed to a $400 an hour attorney rate.  Plaintiff failed to provide a declaration or testimony from an eDiscovery expert.

When facing federal litigation, your case will involve electronically stored information. Slack is considered a more dynamic form of ESI, making search, collection, and processing more difficult.  Choosing the right application programming interface (API) is important as Slack data is exported in JSON format, which is difficult to decipher and requires the right processing to get to more user-friendly data for review purposes.  Additionally, the level of subscription used impacts what can be recovered.

©2021 Strassburger McKenna Gutnick & Gefsky


For more articles on Slack and WhatsApp, visit the NLR Corporate & Business Organizations section.

COVID-19 and Cybersecurity: Combating “Zoombombing” and Securing Your Remote Working Videoconferences

As COVID-19 has prompted a massive shift by organizations to the implementation and use of remote working solutions for their employees, there has been an unfortunate, but not surprising, corresponding rise in malicious actors seeking to exploit remote working solutions.

Over the past few weeks, the most notable and prevalent “digital hijacking” has occurred on the Zoom teleconferencing application. Since the start of the COVID-19 pandemic, there has been an explosion in the number of individuals using the Zoom application. Prior to the pandemic, Zoom averaged approximately 10 million users per day. However, Zoom now estimates that approximately 200 million users per day utilize its videoconferencing application. These users not only include remote workers, but also many school children and teachers who utilize the Zoom application for remote learning.

The phenomenon commonly known as “Zoombombing” involves the infiltration of Zoom videoconferences by hackers. Once they have infiltrated a videoconference, hackers have undertaken a variety of malicious acts including, among other things, posting hate speech, stealing personal identifying information, and posting pornography or other offensive or inappropriate content to the other participants in the videoconference. Typically, hackers look to exploit Zoom conference links that are posted publicly and/or open to the public without the need for a password or access key. In response to the increase in Zoombombing attacks, some governments and organizations have restricted or prohibited the use of the Zoom application by their employees. Recognizing the threat that hackers pose to their platform, Zoom recently added new default security features and recommended that users employ additional security safeguards.

Of course, it is not only Zoom that has been targeted by malicious cyber actors. Similar attacks have occurred on numerous other commonly use videoconferencing platforms. Attacks on these other platforms exploit similar flaws or security vulnerabilities that are seen in Zoombombing attacks.

Given the rise of attacks on videoconference applications during the COVID-19 pandemic, the FBI recently issued a warning discussing Zoombombing and other similar attacks aimed at remote working employees and students. The FBI advised that videoconference application users take the following steps:

  • Do not make meetings public and, if the option is available, utilize passwords for access to meetings;
  • Do not share links for meetings publicly;
  • Only allow meeting hosts to have the option to share their screens with other participants;
  • Ensure that you are using the most recent version of the application; and
  • Ensure that your organization’s remote working policies address requirements for videoconferencing security.

Other important security tips include:

  • Ensure that your teleconferencing sessions have active password protections in place;
  • Keep password protection on by default to prevent unauthorized users from joining or hijacking your sessions; and
  • Use a unique, one-time ID number for large or public teleconferencing calls.

The COVID-19 pandemic has made remote working a reality for many in a world handcuffed by social distancing. It is more important now than ever to understand the power, and the corresponding dangers, these new remote connection technologies hold in order to ensure that you maintain the safety and security of your organization’s data and information.


© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.

For more work from home considerations among the COVID-19 pandemic, see the National Law Review Coronavirus News page.