A few weeks ago the Federal Trade Commission took an enforcement action against Zoom Technologies for misleading statements Zoom made about the security of its videoconferencing services. The case wasn’t too exciting except for a dissenting statement from one of the Democratic FTC commissioners — which read like a foreshadowing of cybersecurity enforcement in the Biden Administration.
Let’s start with the FTC complaint and consent order, which were announced on Nov. 9. The commission’s complaint accused Zoom of misleading consumers about its security program in numerous ways. For example, from 2015 into 2020 Zoom advertised that it offered “end to end encryption” of its web meetings and chats. In reality, Zoom stored its cryptographic keys on servers that Zoom maintained, which meant that most of its services couldn’t be protected by end-to-end encryption. The company admitted as much in a statement on its corporate blog in April of this year.
The FTC allegations continue from there, touching on the exact level of encryption Zoom promised, claims about secure storage of recorded Zoom meetings, and an update Zoom released in 2018 that circumvented security features Apple had built into its Safari web browser. Ultimately the FTC charged Zoom with five violations of the Federal Trade Commission Act.
In the settlement order, Zoom agreed to implement a new data security plan; get an independent assessment of its security program by outside experts every two years; submit annual compliance certifications to the FTC; and make timely reports to the FTC about certain security failures that might happen.
So far, so wishy-washy.
Equally notable was what the settlement order did not include. No monetary penalty. No notice to Zoom consumers about the settlement. No offer to Zoom customers to exit contracts they might have with the company. No admission of guilt or wrongdoing.
That left the FTC’s two Democratic commissioners peeved. Which brings us to their dissenting statements from the Zoom settlement, and what those might augur for FTC enforcement when a certain president-elect takes office on Jan. 20.
Acting Quickly to Exploit Opportunity
The dissent really worth reading came from Rohit Chopra, who has served on the FTC since 2019. His central complaint was that when the pandemic arrived earlier this year, Zoom’s business with consumers skyrocketed — which made Zoom’s use of deceptive statements about its security all the more egregious, and therefore warranting a more stern punishment. In Chopra’s own words:
Zoom stands ready to emerge as a tech titan. But we should all be questioning whether Zoom and other tech titans expanded their empires through deception. Zoom could have taken the time to ensure that its security was up to the right standards. But, in my view, Zoom saw the opportunity for massive growth by quickly leaping into the consumer market, allowing it to rapidly emerge as the new way to virtually celebrate birthdays and weddings and further solidify itself into our lives. But had Zoom followed the law, it might all be different.
Two implications jump out at me. First, Chopra is stressing the importance of “security by design” at the strategic level — that is, senior executives need to be thinking about the security of their software products right from the start, as they formulate their plans to conquer the world. When they tell consumers that security is just part of how they do business, that statement needs to be accurate and true.
Second, note Chopra’s line about Zoom and other tech titans taking advantage of exponential growth, perhaps at the expense of prudent business practices that respect consumer protections. Because one could make the argument that numerous tech titans fit that profile, and I suspect FTC lawyers under the Biden Administration will do exactly that.
In both cases, that means documentation of your business decisions becomes more important. For example, if the FTC accused your firm of not ensuring that security was up to the right standards — how would you rebut that allegation? Minutes of board meetings, management committee discussions, and the like would be one mighty powerful way. They offer a window into senior management’s thinking. You’ll need that evidence to return fire when someone like Chopra says the company wasn’t thinking about security.
Of course, this also means that management actually does need to maintain as security a priority, even when growth is soaring like a rocket. In the same way that the best defense against charges of FCPA violations is, ya know, a strong executive commitment to never offering bribes; the best defense against allegations of sloppy security is strong executive commitment to security, even if that means accepting a little less speed on the rocket.
A commitment to doing the right thing. Ain’t it funny how we always come back to that point.
Bolder FTC Actions
Chopra also laid out several steps he’d like to see the FTC take more often in its investigations and settlement agreements. Among them:
More emphasis on helping consumers. That could include steps such as requiring companies to respond to formal consumer complaints, or ordering companies to release consumers and small businesses from any long-term contracts they signed as a result of deceptive practices. (Chopra mentioned the latter as one measure he wished the FTC had imposed on Zoom.
Better FTC investigations by expanding the skills of investigation teams. Chopra would like to see the FTC use more engineers, designers, and other technical experts on its investigation teams, in addition to lawyers. That would let the FTC take the initiative to evaluate tech products more often, rather than just chasing down whatever scandal blows up in the media.
More rulemaking to clarify what constitutes unfair or deceptive practices — and include potential monetary penalties for violations. Too much of the FTC’s posture on privacy and data security comes from individual consent orders, Chopra said. He wants the FTC to reformulate those expectations as clear, specific rules, with monetary penalties attached.
Revisit the wisdom of third-party security assessments. Outside assessments of an offender’s security program show up in lots of FTC settlements; the Zoom settlement includes one. Chopra’s beef is whether those assessments are really effective, and he’s not wrong. Facebook agreed to outside assessments in 2012, which failed to note the company’s massive data security misconduct in 2014.
Chopra also called for the FTC to coordinate with other regulators both in the United States and abroad more often; and to be less afraid of pursuing cases in court. (It’s worth noting that during the Obama Administration, Chopra was a senior official at the Consumer Financial Protection Bureau overseeing issues related to student loans. You can hear echoes of CFPB enforcement policy then in his FTC statements now.)
So Will This Happen?
The short answer is we don’t know yet. President-elect Biden hasn’t nominated anyone to run the FTC so far. The agency does have its very own transition landing team, led by Heather Hippsley; she’s a former FTC deputy general counsel who retired in February after 35 years with the agency.
Clearly someone with Hippsley’s experience will know how the FTC could shape enforcement policy along Chopra’s thinking — more rulemaking, more coordination, better investigations. It’s also no secret that the Biden Administration will want to keep pursuing antitrust complaints against Google and other tech giants. While those cases will unfold at the Justice Department, the Administration’s overall strategy and philosophy for how to deal with powerful tech businesses will very much include FTC enforcement.
And fundamentally, Chopra’s dissent just reads like he’s sending the message: “This settlement stinks and we should do things differently around here!” CISOs, compliance officers, and board directors should heed his words.