Throughout the COVID-19 crisis, individuals and businesses have gotten creative about how to gather and meet for everything from company meetings to happy hours to high school reunions and weddings. While applications like Skype and FaceTime have been popular for years, Zoom is the program that is on the tip of everyone’s tongue—mainly because it allows numerous people to meet and talk to each other via video link all at the same time. Originally developed as a video-conferencing program for businesses, Zoom, for the first time, is now serving individual users for activities having nothing to do with work. Before COVID-19, Zoom had 10 million daily users. Now, it supports over 200 million daily users.
With its increased popularity, however, Zoom is now looking down the barrel of a flurry of data breach and privacy class action lawsuits. Just recently, a plaintiff filed suit in the United States District Court for the Central District of California, alleging that Zoom breached its duty to implement and maintain reasonable data security practices and that the company misled customers about the security of its product. Specifically, the complaint states that the company’s iOS application shares its users’ personal information with Facebook without their consent. Further, the complaint alleges that Zoom falsely advertises that it uses “end to end” encryption when it does not, which could potentially result in eavesdropping. Also, most recently, hundreds of thousands of Zoom usernames and passwords were hacked and have begun to appear online. These usernames and password are being sold for mere pennies on the dollar—potentially providing hackers easy access to sensitive personal information.
While Zoom may have defenses available to it, these lawsuits could place Zoom and other companies like it in a precarious position. Historically, Zoom and similar companies were able to successfully argue plaintiffs lacked Article III standing to maintain their claims. Without some sort of specific injury-in-fact (or concrete harm) to show that the plaintiff was financially harmed, privacy and data breach lawsuits were often dismissed for lack of standing.
Recently, however, courts are now tending to hold that such companies owe an independent duty of care to safeguard their users’ information. If a plaintiff merely shows that the defendant did not take reasonable steps to protect user information, that is enough for standing. See In re Equifax Inc. Consumer Data Sec. Breach Litig., No. 1:17-md-2800-TWT, 2020 U.S. Dist. LEXIS 7841, at *183 (Jan. 13, 2020, N.D.G.A.). Zoom may be able to argue that individualized issues predominate over common issues – namely, damages – because the court will need to analyze each individual plaintiff to determine their damages. But, even if the court agrees with this argument, the court may certify the class on liability-only and allow each plaintiff to seek damages individually. The result is that Zoom could face difficulty winning on a motion to dismiss or at the class certification stage, which could open the door for a significant settlement or an adverse jury award.
While companies like Zoom are likely to face class action lawsuits for months or years after the COVID-19 pandemic is over, other businesses need to be mindful as well to limit their potential exposure. This includes any business sharing confidential information over video-conferencing software, including doctors’ offices, financial advisors, banks, and attorneys, to name a few. As this pandemic continues to play out, all businesses should be careful to check their video-conferencing service to ensure it provides a safe and secure platform to share information in order to limit potential legal exposure down the road. Businesses should also advise their employees about issues with security and remind them to be mindful when utilizing video conferencing, to not give out confidential information, and to secure the video call with a password.