Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.
Sign up for our Securities newsletter
You must correct or enter the following before you can sign up:
Thank You!
Law360 (April 13, 2020, 4:44 PM EDT )
Tara Trifon |
This is due to the COVID-19 pandemic that has dramatically increased the number of people who rely on the cloud-based communications platform to interact with others while practicing social distancing from the confines of their homes. These days, it's commonplace to finish a work-related conference call and then immediately join a virtual happy hour, all on Zoom.
While this rapid influx of users has boosted Zoom's stock price, it also brought close scrutiny of the company's privacy policies and potential security vulnerabilities.
Three consumer class actions have already been filed in the U.S. District Court for the Norther District of California. The first alleges that Zoom has failed to properly safeguard its users' personal information. The second focuses on Zoom's alleged disclosure of users' personal information without consent.
The third claims that Zoom unlawfully shared personal information with Facebook Inc. and also failed to provide adequate security to avoid breaches as evidenced by the "Zoombombing" incidents, a brand new term describing situations in which uninvited attendees take advantage of security flaws to disrupt a conference.
While Zoom has made changes in response, the company's reactions are unlikely to avoid the current litigation or dissuade additional consumer lawsuits.
Summary of Allegations in the Class Action Complaints
On March 30, Robert Cullen filed a putative class action against Zoom, alleging that the company failed to properly safeguard its users' personal information. In particular, the plaintiff alleges that every time a user opens the Zoom application, personal information is sent to Facebook, such as the user's mobile operating system type and version, the device time zone, the device model and the device's unique advertising identifier (which allows companies to target the user with advertisements).[2]
The plaintiff notes that Zoom has released a new version of the application that purportedly stops this practice, though it failed to push this updated version to all of its users. As a result, the plaintiff alleges that there are some individuals who continue to use the older version of the application and whose personal information is still being transmitted to Facebook.[3]
The plaintiff asserts a number of claims against Zoom, including violation of the California Consumer Privacy Act, California Consumers Legal Remedies Act, and the California Constitution; unlawful and unfair business practices; negligence, invasion of privacy, and unjust enrichment.[4]
The next day, on March 31, Samuel Taylor filed his own putative class action against Zoom.[5] As in the Cullen complaint, the plaintiff alleges that Zoom discloses the personally identifiable information of its users to unauthorized third parties, including Facebook, for use in targeting advertising without the users' consent.[6]
Disclosed information includes the unique advertiser identifier, which the plaintiff claims is a particularly invasive practice because it is tied to an individual user and is "similar to a cookie in that it allows advertisers to know that a specific iPhone user is looking at a specific publication so that it can serve an ad targeting that user."[7]
Additionally, the plaintiff claims that Zoom shares other details (such as the type of device, software, network carrier and location of the user) that, when taken together, provide a high level of detail about the user.[8] Notably, the plaintiff claims that Zoom's data-sharing activity was not visible to the user and, therefore, there was no opportunity for the user to express or withhold consent. The plaintiff asserts a number of claims against Zoom, including negligence, violation of the CCPA, CLRA, and California unfair competition law; breach of implied contract; unjust enrichment; and invasion of privacy.[9]
On April 8, Lisa Johnston filed a third class action against Zoom.[10] As with the first two class actions, the plaintiff claims that Zoom unlawfully shared users' personal information with Facebook (such as the type of device, software, network carrier and location of the user), which generates a unique identifier permitting Facebook to target users with advertisements.[11]
But the Johnston complaint goes even further than Cullen's and Taylor's, claiming that Zoom also failed to provide adequate security to avoid breach and infiltration of users' videoconference, namely Zoombombing.[12] The plaintiff claims that Zoom dishonestly and falsely advertised that its videoconferencing was protected by end-to-end encryption, when in fact it was not.[13] As a result, the plaintiff claims that Zoom's videoconferences were vulnerable to hacking.[14]
The plaintiff also alleges that Zoom failed to safeguard its users' confidential, sensitive personal information and engaged in unfair, unlawful and deceptive business practices relating to Zoom's data security.[15] The plaintiff claims that Zoom acted negligently, breached an implied contract, breached the implied covenant of good faith and fair dealing, engaged in unjust enrichment, invaded the plaintiff's privacy, and violated the CCPA, CLRA, and California unfair competition law.[16]
These three class actions are likely to be consolidated in the near future. Cullen has already filed a motion to consider whether Cullen and Taylor should be considered related cases.[17]
Zoom's Response
Zoom's founder and chief executive officer, Eric Yuan, acknowledged the privacy and security issues in a message on April 1. Yuan expressed appreciation for the scrutiny and questions that "will make Zoom better, both as a company and for all its users."[18]
The message also identified certain actions that Zoom has already taken because of the privacy complaints, including updating the privacy policy and removing a software development kit in its iOS client to stop collecting unnecessary device information from users, although it claims that it was unaware that this information was being transmitted. Zoom also published a blog entry clarifying that data is only encrypted if all participants are using the Zoom application and the meeting is not being recorded.[19]
CCPA Issues Raised by Consumer Class Actions
The CCPA provides that a consumer may commence a civil action if the consumer's
nonencrypted and nonredacted personal information, as defined in [Cal. Civ. Code 1981.81.5], is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.[20]
Thus, to prevail on a CCPA claim, a plaintiff must prove that: (1) certain personal information is subject to an unauthorized access and exfiltration, theft or disclosure; and (2) that this was the result of the company's failure to maintain reasonable security procedures and practices.
Standing/Damages
Even before getting to the merits of a CCPA cause of action, a court must determine whether the plaintiff has standing to pursue such a claim. Indeed, many privacy class actions have been dismissed in the past due to the plaintiffs' inability to demonstrate that they suffered a harm, resulting in findings that they lacked Article III standing to pursue their claims.
The CCPA creates a private cause of action as a result of a breach in the event that such breach is cause by a business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information. It also creates statutory damages in the amount of $100 to $750 per incident. As a result, the CCPA has effectively bypassed the lack of standing issue and Zoom is unlikely to prevail by asserting such a defense.[21]
Personal Information
The definition of personal information under the CCPA is quite expansive and includes information:
that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.[22]
The consumer class action plaintiffs allege that Zoom disclosed certain personal information including, but not limited to: (1) identification of the user's device and model, (2) the time zone and city the user is connecting from, (3) the user's phone carrier, and (4) a unique advertiser identifier created by the user's device that companies can use to target advertising to the user.
However, the CCPA only provides a private right of action for consumers if there is disclosure of personal information as set forth in California Civil Code Section 1798.81.5.
Pursuant to this statute, personal information is defined as an individual's first name or first initial and last name so long as it is accompanied by the individual's:
- Social Security number;
- Driver's license number or other unique identification number issued on a government document;
- Account number or credit/debit card number along with a security code, access code, or password;
- Medical information;
- Health insurance information; or
- Unique biometric data.[23]
Personal information is also defined as a username or email address in combination with a password or security question and answer that would permit access to an online account.[24]
Zoom will probably argue that any data shared with Facebook does not qualify as personal information for purposes of a consumer complaint. In Taylor and Johnston, the plaintiffs claim that Zoom violated the CCPA by using personal information without providing notice or permitting them to opt out of the disclosure of this information.[25] In Cullen, the plaintiff also alleges that Zoom failed to provide adequate notice consistent with the CCPA.[26]
While the Cullen plaintiff also alleges that Zoom failed to implement/maintain reasonable security procedures and practices in order to prevent nonencrypted and nonredacted personal information from unauthorized disclosure, the complaint does not explicitly reference the personal information defined in California Civil Code Section 1798.81.5.[27]
Maintenance of Reasonable Security Procedures and Practices to Avoid a Breach
To avoid liability under the CCPA for a breach of nonencrypted and nonredacted personal information, Zoom must "implement and maintain reasonable security procedures and practices."[28] The CCPA does not articulate what constitutes reasonable procedures and practices, and the interpretation of this requirement is likely to evolve over time.
However, if Zoom was not even aware that Facebook's software development kit collects personal information from its users, then it is difficult to imagine how the company crafted reasonable security procedures and practices relating to such collection.
The Zoombombing breaches reveal another set of problems for Zoom.[29] As the Johnston complaint notes, while Zoom previously claimed that its videoconferences were protected by end-to-end encryption, the fact was that Zoom apparently lacked that capability.[30]
But Zoom's security can actually be breached by two different methods, one is complex (end-to-end encryption) and one is simple (manipulating the uniform resource locater in order to engage in Zoombombing). Both are ways to exploit Zoom to get access to another person's data and are likely to be raised in litigation as support for the lack of reasonableness.
It is worth noting that even if Zoom did comply with its duty to maintain such reasonable security procedures and practices, it may still potentially face an enforcement action by the California attorney general under the CCPA for potentially lax security protocols that allowed Zoombombing to occur, as well as for failing to provide its users with notice regarding whether their personal information was being collected, what specific information was being collected and for what purpose, and the right to opt-out or delete personal information.[31]
Is Zoom's Lack of Knowledge a Defense?
One question that may arise from this litigation relates to the role that Zoom's understanding, or lack thereof, regarding the transmittal of information transmitted to Facebook. Yuan's message to users on March 27 states that Zoom was only recently made aware that Facebook's software development kit was collecting unnecessary device data.[32]
Instead, by stating that Zoom was unaware that Facebook's software development kit was collecting information from users, it seems to be trying to shift liability away from itself and on to Facebook.
Facebook's business tools terms and conditions clearly state that if a company uses software development kits, it "further represent[s] and warrant[s] that [it has] provided robust and sufficiently prominent notice to users regarding the Customer Data collection, sharing and usage" and includes specific requirements such as the prominence of notices with clear explanations.[33]
Thus, Facebook would likely take the position that Zoom was put on notice regarding Facebook's customer data collection.
Conclusion
The three class actions are just the beginning of a litigation and enforcement nightmare for Zoom.
In addition to the focus on privacy and cybersecurity issues, there has been a lot of media attention on Zoombombing. Consequently, several states' attorney general have begun requesting information regarding Zoom's privacy and cybersecurity policies, including New York Attorney General Letitia James, Connecticut Attorney General William Tong and Florida Attorney General Ashley Moody.
U.S. senators are also getting involved, with Sen. Sherrod Brown, D-Ohio, sending a letter to the Federal Trade Commission asking for a formal investigation into Zoom's allegedly deceptive representations about its end-to-end encryption.[34]
Two putative class actions were also filed by Zoom shareholders, claiming, among other things, that the company made false or misleading statements regarding the adequacy of its privacy and cybersecurity standards and the end-to-end encryption of its service.[35]
As with other privacy and cybersecurity class actions involving other companies, Zoom will likely try to settle the pending matters for amounts that give users less than the penalties provided in the CCPA. Whether Zoom will be successful in doing so remains to be seen and will likely be guided by the Facebook Biometric Information Privacy Act settlement.[36]
These are difficult times for Zoom, a company thrust into the spotlight by the pandemic, with challenging business and litigation decisions ahead.
Tara Trifon is a partner at Locke Lord LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
[1] https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/ (last accessed on April 5, 2020).
[2] See Cullen v. Zoom Video Communications, Inc., Case No. 5:20-cv-02155-LHK (N.D. Cal.), Compl., ¶ 16.
[3] Id., ¶ 21.
[4] Id.. Compl., generally.
[5] Taylor v. Zoom Video Communications, Inc., Case No. 5:20-cv-02170-SVK (N.D. Cal.).
[6] Id., Compl., ¶ 2.
[7] Id., Compl., ¶ 36.
[8] Id., ¶ 37.
[9] Id., Compl., generally.
[10] Johnston v. Zoom Video Communications, Inc., Case No. 5:20-cv-02376-SVK (N.D. Cal.).
[11] Id., Compl., ¶¶ 2 and 35.
[12] Id.
[13] Id.,
[14] Id., ¶ 45.
[15] Id.
[16] Id., Compl., generally.
[17] See Cullen, Case No. 5:20-cv-02155-LHK (N.D. Cal.), ECF No. 21.
[18] Id.
[19] https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/ (last accessed on April 5, 2020).
[20] Cal. Civ. Code § 1798.150(a).
[21] Another example of this is found in the class action commenced against Facebook, Inc. alleging a violation of the Illinois Biometric Information Privacy Act ("BIPA"), 740 Ill. Comp. Stat. 14/1, et seq. See In re Facebook Biometric Information Privacy Litigation, Case No. 15-cv-03747-JD (N.D.Cal.). In that case, the plaintiffs did not allege that they suffered an actual harm, but instead based their claims entirely on Facebook's purported breach of BIPA. Facebook moved to dismiss the complaint, arguing inter alia, that the plaintiffs were not damaged and therefore did not have standing, which motion was denied. Facebook then appealed that decision to the Ninth Circuit, which affirmed the District Court's decision. Finally, Facebook petitioned the United States Supreme Court to determine whether the violation of a statute provides a concrete interest that is sufficient to find standing. The Supreme Court denied certiorari on January 21, 2020 and Facebook settled the matter eight days later for $550,000,000. Significantly, the District Court judge presiding over this class action specifically informed the parties that he needed a clear explanation as to why he should approve a settlement where the class members receive less than the $1,000 statutory damages for negligent violations provided in BIPA, possibly paving the way for refusing to approve the proposed settlement.
[22] Cal. Civ. Code § 1798.140(o)(1).
[23] Cal. Civ. Code § 1798.81.5(d)(1)(A).
[24] Cal. Civ. Code § 1798.81.5(d)(1)(B).
[25] See Taylor, Case No. 5:20-cv-02170-SVK (N.D. Cal.), Compl., ¶¶ 102-103 and Johnston, Case No. 5:20-cv-02376-SVK (N.D. Cal.), Compl., ¶¶ 101-103.
[26] Cullen., Case No. 5:20-cv-02155-LHK (N.D. Cal.), Compl., ¶ 33.
[27] Cullen., Case No. 5:20-cv-02155-LHK (N.D. Cal.), Compl., ¶ 34.
[28] Cal. Civ. Code § 1798.150(a).
[29] The Johnston complaint does not currently include the Zoombombing security breaches as part of the CCPA claim. However, it is common for complaints to be amended as the litigation proceeds, and it is likely that Johnston will cure this deficiency in future pleadings.
[30] Johnston, Case No. 5:20-cv-02376-SVK (N.D. Cal.), Compl., ¶ 45.
[31] Cal. Civ. Code §§ 1798.100 – 1798.120.
[32] https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-facebook-sdk-in-ios-client/ (last accessed on April 8, 2020).
[33] https://www.facebook.com/legal/technology_terms (last accessed on April 8, 2020).
[34] See FTC-Zoom-4-03-20.pdf" target="_blank">https://assets.documentcloud.org/documents/6825069/Brown-to-FTC-Zoom-4-03-20.pdf (last accessed on April 5, 2020).
[35] See Drieu v. Zoom Video Communications, Inc., 3:20-cv-02353-JD (N.D. Cal.) filed on April 7, 2020, and Brams v. Zoom Video Communications, Inc., Case No. 3:20-cv-02396 (N.D.Cal.), filed on April 8, 2020.
[36] See footnote 14.
For a reprint of this article, please contact reprints@law360.com.