Resulting in Zoom Promising to Implement an Information Security Program, Resembling the SHIELD Act

Key point: The Letter of Agreement between the New York Attorney General and Zoom Video Communications, Inc. provides insight into what the Attorney General may consider satisfying the Reasonable Safeguards requirement under the SHIELD Act.

On May 7, 2020 Zoom Video Communications, Inc. (Zoom) became the first company to experience one of the new enforcement tools available to the New York Attorney General’s Office (NYAG) under the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

The SHIELD Act took effect on March 21, 2020, and requires any person or business owning or licensing computerized data containing the private information of a New York resident “to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of that private information.” GBL § 899-BB(2).

Security Concerns for Zoom Arise Amidst COVID-19

As the popularity of Zoom’s videoconferencing platform surged in the COVID-19 pandemic, so did the public’s complaints about hackers disrupting supposedly “private” videoconferences (educational events, government meetings and religious services) due to security flaws in Zoom’s platform. On April 10, 2020, the sergeant-at-arms for the U.S. Senate also advised senators and their staffs to consider alternative meeting platforms due to Zoom’s security concerns.

The complaints about the disruptions, better known as Zoom-bombing, caught the attention of State and Federal prosecutors around the country. For example, Zoom-bombing attracted the attention of the Federal Bureau of Investigations, the Department of Justice and the Attorney General for Pennsylvania. The FBI asked people with information about hackers who are exploiting the disruptions caused by the COVID-19, to contact the Bureau. One U.S. Attorney said, “Hackers are disrupting business and community meetings for sport and targeting specific groups, including addiction recovery meetings, in order to mock, harass and interfere with treatment.” Pennsylvania’s Attorney General voiced a similar message, “Through my Office’s partnership with the Western Pennsylvania COVID-19 Fraud Task Force, we will be able to investigate and prosecute hackers.”

As Zoom’s security flaws became more apparent, media reports unearthed data privacy concerns on Zoom’s platform. One of the primary concerns involved the fact that Zoom was sending analytics data from its users to Facebook, even if the users did not have a Facebook account or had not used their Facebook accounts to log into Zoom. Although this is common practice amongst many companies, the privacy concern arose because Zoom failed to inform users that their information was being shared with Facebook. At the time, Zoom’s privacy policy made no mention of the fact that it was sharing data with Facebook. When this discrepancy was found, Zoom altered its application to eliminate the feature.

Two other privacy concerns involved LinkedIn’s Sales Navigator tool and Zoom’s meeting directory feature. Specifically, Zoom meeting participants could access the LinkedIn profiles of other meeting attendees, including those who had adopted pseudonyms to remain anonymous during a Zoom meeting. Similarly, the Zoom meeting directory tool enabled users to access the personal information of other Zoom users that used the same email domain.

New York Informs Zoom to Improve Its Data Security Posture

In contrast to the emphasis some law enforcement entities were placing on pursuing hackers described above, Zoom’s privacy concerns prompted the NYAG to examine Zoom’s information security practices. In a letter to Zoom on March 30, 2020, the NYAG asked Zoom to describe the new security measures it implemented to detect hackers in light of the exponential increase of traffic on its network. According to the New York Times, the NYAG’s letter acknowledged that Zoom provides essential and valuable services to the community, but her office was concerned that Zoom’s platform lacked critical security protections, such as end-to-end encryption, which the company claimed was already in place.

Zoom Takes Quick Corrective Action and Cooperates with NYAG Inquiry

Media reports and the NYAG indicate that Zoom fully cooperated with the NYAG’s inquiry and took quick action to respond to the various privacy and security concerns. The day after receiving the NYAG’s letter, Zoom announced a 90-day plan to improve the privacy and security for its users. One of the steps Zoom took to effectuate this plan was by redirecting its engineering team away from product enhancements and towards the remediation of security vulnerabilities and improving its privacy settings.

The NYAG also credited the fact that Zoom made its services available to residents free of charge, thereby benefitting New York during the COVID-19 pandemic, to include enabling health care and local governments to provide essential services to the public and by facilitating online learning for school children.

Based on these circumstances, the NYAG determined that an agreement with Zoom on continued security improvements (Agreement) was more beneficial to the public than commencing an enforcement proceeding against the company.

The Agreement Puts the SHIELD Act’s Reasonable Safeguards Requirement into Practice

Under the Agreement, Zoom was not required to admit or deny any of the NYAG’s factual or legal allegations, and the Agreement cannot be used by third parties to create a cause of action against the company. However, in exchange for these protections, Zoom had to promise to comply with a variety of laws and regulations. (Specific laws and regulations mentioned in the Agreement include: New York’s consolidated laws for Education, Executive and General Business pertaining to fraud, deceptive practices, false advertising and the unauthorized release of personally identifiable information; regulations related to the Education law; and the Federal Children’s Online Privacy Protection Act (COPPA) Rule). Zoom also promised to enhance its privacy controls for its free accounts and its K-12 education accounts. As a result, Zoom users now have the ability to password-protect their meetings in addition to placing prospective attendees into digital waiting rooms before granting access to the meeting. Users also will have the ability to control access to the private messages and the e-mail domains in the Zoom directory.

Perhaps the most interesting provision in the Agreement was Zoom’s requirement to implement a comprehensive, written information security program (WISP) with specific administrative, technical and physical safeguards. The Agreement’s requirement for Zoom to implement a WISP is not a verbatim recitation of the SHIELD Act’s data security program, but the resemblance between the terms in the Agreement and the SHIELD Act’s provisions cannot be ignored.

The SHIELD Act provides two options for complying with the statutory requirement to implement and maintain reasonable safeguards:

  1. Comply with the preexisting data security regulations required by the Gramm-Leach Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA) or New York’s Division of Financial Services (NYDFS). See GBL §§ 899-BB(2)(b)(i).
  2. Implement a data security program that includes reasonable administrative, technical and physical safeguards. See GBL §§ 899-BB(2)(b)(ii).

The first option allows financial institutions, health care providers, and insurance providers who already have to comply with GLBA, HIPAA or NYDFS regulations to continue with those compliance obligations. The second option, implementing a data security program, is the primary option for the vast majority of the private sector.

Based on the similarity between the SHIELD Act’s data security program and Zoom’s WISP requirements, the Agreement offers a preview of NYAG’s expectations for many of the reasonable safeguards that should be implemented within the private sector.

The main elements of Zoom’s WISP requirements and the SHIELD Act’s data security programs are compared in the appendix that follows.

The Agreement Contains No References to the SHIELD Act

Interestingly, the Agreement does not expressly reference the SHIELD Act despite expressly referencing other NY general business laws. In our opinion, there are two plausible explanations for the SHIELD Act’s absence from the Agreement.

1. The SHIELD Act requires businesses to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information of New York residents.

  • Private information is defined in New York’s data breach notification law as a subset of personal information, that is similar to other jurisdictions’ definitions of personally identifiable information.
  • According to the allegations in the Agreement, Zoom did not own or license private information of New York residents. As such, the SHIELD Act’s predicate requirement for a data security program would not have been triggered based on the security flaws in Zoom’s platform.
  • This rationale may also explain why the WISP did not discuss any of the physical safeguards that would be required for a business collecting or possessing private information.

2. Based on the date of the NYAG’s letter, the examination of Zoom’s security practices must have begun in early March, weeks before the SHIELD Act’s reasonable safeguards requirements went into effect.

  • The unexpected circumstances of COVID-19 and the sudden importance of Zoom’s platform may have eliminated the luxury of starting an investigation after the SHIELD Act’s data security program requirements went into effect on March 21, 2020.
  • It is possible that the NYAG refrained from invoking the SHIELD Act simply to avoid legal complications that might arise from an investigation into Zoom’s security flaws because the investigation would have predated the effective date of the SHIELD ACT.

Final Observations and Thoughts

Although the Agreement resolved Zoom’s legal exposure within the NYAG, and it might dampen the enthusiasm for other prosecutorial offices to pursue enforcement actions against the company. Notably, Zoom already corrected the disparity between its Privacy Notice and its undisclosed practice of sharing information with Facebook and LinkedIn.

Uncorrected, that type of conduct could have been the basis for a Federal Trade Commission (FTC) investigation as a deceptive practice in violation of §5(a) of the FTC Act. However, FTC investigations usually result in consent decrees where the business promises to correct its behavior but does not admit liability. See e.g. In the Matter of GEOCITIES, Dkt No. C-3850, (Feb. 5, 1999).

Nevertheless, Zoom must remain cognizant of the privacy of its users. There is no reason to believe that the company’s legal liabilities regarding the corrected security flaws are eradicated in light of the numerous lawsuits being filed against Zoom. These lawsuits include class actions filed on behalf of shareholders, alleging that Zoom overstated its security measures and class actions by Zoom’s end users for violations of their privacy.

The end-user class actions were brought in U.S. District Court in California and rely, in part, on the definition of personal information contained in the California Consumer Privacy Act (CCPA). In depth analysis of the CCPA requirements can be found in our practice group’s ongoing commentaries for businesses that have compliance questions regarding the CCPA.

In sum, the fact that Zoom is defending lawsuits under various state privacy and data security laws illustrates the problems companies will face in their efforts to comply with the patchwork of state privacy laws, until a federal data privacy and security law is enacted.

Appendix 1 Comparison of Several of Zoom’s WISP and SHIELD Act Provisions