Tag: Zoom litgation

Securities Litigation: An Emerging Strategy to Hold Companies Accountable for Privacy Protections

A California federal judge rejected Zoom Video Communications, Inc.’s motion to dismiss securities fraud claims against it, and its CEO and CFO, for misrepresenting Zoom’s privacy protections. Although there have been a number of cases challenging inadequate privacy protections on consumer protection grounds in recent years, this decision shifts the spotlight to an additional front on which the battles for privacy protection may be fought:  the securities-litigation realm.

At issue were statements made by Zoom relating to the company’s privacy and encryption methods, including Zoom’s 2019 Registration Statement and Prospectus, which told investors the company offered “robust security capabilities, including end-to-end encryption.” Importantly, the prospectus was signed by Zoom’s CEO, Eric Yuan. The plaintiffs, a group of Zoom shareholders, brought suit arguing that end-to-end encryption means that only meeting participants and no other person, not even the platform provider, would be able to access the content. The complaint alleged that contrary to this statement, Zoom maintained access to the cryptographic keys that could allow it to access the unencrypted video and audio content of Zoom meetings.

The plaintiffs’ allegations are based on media reports of security issues relating to Zoom conferences early in the COVID-19 pandemic, as well as an April 2020 Zoom blog post in which Yuan stated that Zoom had “fallen short of the community’s  ̶ ̶  and our own  ̶ ̶  privacy and security expectations.”  In his post, Yuan linked to another Zoom executive’s post, which apologized for “incorrectly suggesting” that Zoom meetings used end-to-end encryption.

In their motion to dismiss, the defendants did not dispute that the company said it used end-to-end encryption.  Instead, they challenged plaintiffs’ falsity, scienter, and loss causation allegations – and all three attempts were rejected by the court.

First, as to falsity, the court did not buy the defendants’ argument that “end-to-end encryption” could have different meanings because a Zoom executive expressly acknowledged that the company had “incorrectly suggest[ed] that Zoom meetings were capable of using end-to-end encryption.”  Thus, the court found that the complaint did, in fact, plead the existence of materially false and misleading statements. The court also rejected the defendants’ argument that Yuan’s understanding of the term “end-to-end encryption” changed in a relevant way from the time he made the challenged representation to his later statements that Zoom’s usage was inconsistent with “the commonly accepted definition.” The court looked to Yuan’s advanced degree in engineering, his status as a “founding engineer” at WebEx, and that he had personally “led the effort to engineer Zoom Meetings’ platform and is named on several patents that specifically concern encryption techniques.”

Lastly, the court rebuffed the defendants’ attempt at undermining loss causation, finding that the plaintiffs had pled facts to plausibly suggest a causal connection between the defendants’ allegedly fraudulent conduct and the plaintiffs’ economic loss. In particular, the court referenced the decline in Zoom’s stock price shortly after defendants’ fraud was revealed to the market via media reports and Yuan’s blog post.

That said, the court dismissed the plaintiffs’ remaining claims, as they related to data privacy statements made by Zoom or, in general, by the “defendants,” unlike the specific encryption-related statement made by Yuan. The court found that the corporate-made statements did not rise to the level of an “exceptional case where a company’s public statements were so important and so dramatically false that they would create a strong inference that at least some corporate officials knew of the falsity upon publication.” Because those statements were not coupled with sufficient allegations of individual scienter, the court granted the defendants’ motion to dismiss those statements from the complaint.

© 2022 Proskauer Rose LLP.
For more articles about business litigation, visit the NLR Litigation section.

FTC Settlement with Zoom Concerning Alleged Data-Security Lapses

On November 9, 2020, the United States Federal Trade Commission (FTC) announced that it had entered into a consent agreement, subject to final approval, with videoconferencing company Zoom Video Communications, Inc. (Zoom). The consent agreement settles allegations that Zoom engaged in a series of deceptive and unfair practices that undermined the security of its users. The Commission voted 3–2 to accept the settlement, with Commissioners Chopra and Slaughter voting no and issuing dissenting statements asserting that the FTC’s action did not go far enough.

While the FTC generally does not identify what triggers a law enforcement action, there have been many news articles and a number of class actions filed in connection with Zoom’s data-security practices over the past six months that likely led to this action.

According to the complaint accompanying the consent agreement, the number of daily Zoom meetings grew from approximately 10 million in December 2019 to 300 million in April 2020. Zoom allows users to have one-on-one and group meetings, and users can also chat with others in the meeting, share their screens, and record videoconferences, among other things. Given the sensitive information that is often shared during a Zoom meeting—such as financial information, health information, proprietary business information, and trade secrets—appropriate data security is critical.

According to the FTC’s complaint, Zoom made numerous prominent representations touting the strength of its privacy and security measures employed to protect users’ personal information. These representations included claims relating to end-to-end encryption, as well as claims regarding the level of encryption. In addition, the complaint alleged that Zoom made deceptive claims regarding the secure storage for Zoom meeting recordings. The complaint also alleged that Zoom compromised the security of some users when it installed software called a ZoomOpener web server, which allowed Zoom to automatically launch and have a user join a meeting by bypassing an Apple Safari browser safeguard, which would have provided users with a warning box prior to launching the Zoom app.

The proposed settlement is consistent with many of the FTC’s recent data-security settlements and includes several of the newer provisions designed to strengthen such settlements. Specifically, the proposed settlement prohibits Zoom from misrepresenting its privacy and security practices in the future and requires Zoom to do the following:

  • Establish, implement, and maintain a comprehensive information security program that protects the security, confidentiality, and integrity of covered information, such as:
    • Security review for all new software
    • A vulnerability-management program for its internal networks
    • Security training for employees
    • Inventorying personal information stored in systems
    • Implementing data-deletion policies and other specific security measures, such as proper network segmentation and remote-access authentication
  • Obtain an initial security assessment and biennial data-security assessments for twenty years from an independent-third party Accessor.
  • Submit an annual certification from a senior corporate manager that it has implemented the requirements of this order.

Submit a report to the FTC upon the discovery of any covered incident. A covered incident is defined as an incident in which personal information is accessed or acquired without authorization and that requires reporting to any government entity.

As with a number of high-profile privacy or data-security settlements, the FTC’s Commissioners issued several separate statements expressing their views and their visions for the FTC’s privacy and data security program.

Notably, Commissioner Chopra issued a nine-page dissenting statement expressing concern with companies that, in the interest of acting and growing quickly, engage in deceptive practices, which he believes harms consumers and competition. Commissioner Chopra criticized the consent agreement because in his view it does not help affected parties, it does not include a monetary penalty, and thus it does not provide for meaningful accountability for Zoom. Finally, Commissioner Chopra stated that he believes that the Zoom settlement undermines the Commission’s effort to receive more authority from Congress to protect personal information.

Commissioner Slaughter also dissented, focusing her dissenting statement on her belief that the Commission’s action does not more robustly address the associated privacy issues connected to Zoom’s actions. In addition, Commissioner Slaughter took issue with the settlement’s failure to provide recourse for consumers.

The majority, Chairman Simons and Commissioners Phillips and Wilson, issued a statement indicating that they felt that the proposed relief “appropriately addresses the conduct alleged in the complaint and is an effective, efficient resolution of this investigation.”

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.
For more articles on Zoom litigation, visit the National Law Review Communications, Media & Internet section.