Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Amid the nation-wide "work from home" routine necessitated by the COVID-19 pandemic, an extraordinary number of businesses turned to the Zoom Video Communications' video conferencing platform. As the use of the Zoom platform increased, so did scrutiny of Zoom's data security practices, which in turn produced a flurry of class action lawsuits against Zoom for "violation of its duty to implement and maintain reasonable security procedures and practices." Like many technology providers, Zoom's Terms of Service (update as of April 13, 2020) stated that Zoom will "maintain reasonable physical and technical safeguards to prevent unauthorized disclosure of or access … in accordance with industry standards."
The proposed class actions against Zoom are illustrative of a challenge many businesses face: What is "reasonable" data security? Organizations in regulated industries typically have more data security parameters, e.g., Health Insurance Portability and Accountability Act (HIPAA), Vermont's Securities Regulations Cybersecurity Procedures and South Carolina's Insurance Data Security Act. Businesses operating outside regulated industries must sift through a patchwork of laws, guidance and enforcement actions.
Getting to reasonable data security is particularly vexing for technology vendors that, like Zoom, are required by law (e.g., the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA)) to contractually promise that their products protect customers' personal data and confidential business information with reasonable data security.
For businesses subject to the authority of Federal Trade Commission (FTC), data security-related enforcement actions and guidance are the primary sources for clarifying the reasonable data security requirement. The FTC's public archives show more than 80 data security-related actions in the past 20 years. In 2015, the FTC distilled 10 data security principles from 50 of its data security enforcement actions into Start with Security: A Guide for Business and later supplemented these principles with the 2017 Stick with Security: A Business Blog Series.
Despite this relatively long history of data security activity, the FTC is criticized for insufficiently clear guidance about what reasonable data security means, including by the 11th Circuit, which vacated a 2016 FTC data security mandating "a complete overhaul of LabMD's data-security program" because it offered "precious little about how this is to be accomplished." Perhaps in response to the 11th Circuit's LabMD decision, in a Jan. 6, 2020 blog post, the FTC touted "significant improvements" in its 2019 data security orders.
Following this cue from the FTC's blog, we analyze the FTC's key data-security-related enforcement during 2019 and 2020 enforcement (to date) for common data security requirements that can help guide businesses in developing their data security programs. The FTC's 2019-2020 enforcement actions include the FTC's same basic data-security-related recommendations from the 2015-2017 guidance but also elaborate with timing and other details:
In the 2019-2020 enforcement orders and again in its June 2020 cloud security guidance, the FTC emphasizes certain specific data security controls:
While the requirements in the FTC orders often reflect specific data security failures of the subject business, they also offer FTC-regulated businesses some benchmarks against which to evaluate their data security programs. Of course, determining the best way to implement the FTC's various data security requirements depends on industry, technology, financial and personnel resources and the quantity and sensitivity of the information.
*****
Julia B. Jacobson is a Partner in the Boston office of Arent Fox LLP, advising national and multinational clients on practical and tactical privacy, cybersecurity and marketing law compliance. Natalia J. Kerr is an attorney working for the Boston office of Arent Fox LLP on privacy and cybersecurity matters. Courtney K. Stout is the Chief Privacy Officer for S&P Global, Inc. S&P is a client of Arent Fox.
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.