Videoconferences have become “virtually” ubiquitous in today’s workforce, particularly as COVID-19 continues to transform how businesses operate from day to day. To maintain social distancing, most businesses have encouraged their employees to utilize remote desktop software to perform their jobs from the relative safety of their homes. In furtherance of this arrangement, those same businesses have replaced traditional in-person meetings with virtual videoconferences.
With businesses more reliant on the telework model than ever before, videoconference platforms have, perhaps expectedly, faced a bevy of lawsuits from their users arising from the use of videophonic software. This article explores the measures businesses may employ to prevent data security and privacy lawsuits, as well as what businesses can do to defend such litigation when it ensues.
Plaintiffs have asserted various legal theories in the ongoing wave of lawsuits against videoconference services, including breach of contract, negligence, fraud, violation of state and federal consumer protection laws, and invasion of privacy. The common thread among nearly all of the lawsuits is the alleged failure to ensure the privacy of the users’ personal information coupled with the alleged failure to make the users’ meetings inaccessible to third parties.
In a pending class action lawsuit against Zoom, the putative class alleges that Zoom misled them into believing its meetings were secure. The plaintiffs further claim that, as a result, hackers were given free rein to infiltrate Zoom meetings, obtain control of the plaintiffs’ devices, covertly install malware onto the plaintiffs’ devices, and make unauthorized recordings of Zoom meetings. The plaintiffs also claim third parties were able to gain access to recordings of non-password-protected meetings on Zoom’s cloud-based server and that Zoom surreptitiously shared the plaintiffs’ personal identifying information (“PII”) with third-party businesses for targeted advertising. The factual crux of the lawsuit is that Zoom allegedly misinformed the public by promoting its meetings as private and secure through its “end-to-end sharing” encryption protocol.
Preventing the Lawsuit
Although the vast majority of these lawsuits have either settled or remain unresolved, the nuanced theories of recovery have offered a potential blueprint for how videoconference platforms can reduce the risk of litigation arising from allegedly inadequate data security and/or user privacy. For example, if the platform enables users to store recorded meetings on a cloud-based server, the platform should have reasonable data security measures for its servers, such as firewalls, encryption, unique passwords, malware antivirus software, and integrity monitoring and logging. Platforms might also reduce the risk of privacy and security breaches by offering a function which allows users to disable the sharing of their PII.
In addition, videoconference platforms should pay close attention to the language of their privacy policies, especially as the policies pertain to the platforms’ encryption protocols. Informing users upfront regarding the platform’s specific encryption protocols and what vulnerabilities may exist with respect to the users’ personal information and private meetings may help reduce risk. Similarly, informing users that the platform may sell or otherwise share user data with other businesses seeking targeted advertisements is advisable. While federal law permits internet service providers to sell consumer data to other businesses for advertising purposes, a business’s failure to provide notice to the consumer that the business will sell the consumer’s PII can subject businesses to civil liability.
Defending the Lawsuit
As a starting point, platforms faced with data security and privacy lawsuits should evaluate which state’s law applies, whether the venue of the lawsuit is proper, and whether federal subject matter jurisdiction exists. If a plaintiff files suit in state court, the suit may be removable on federal question jurisdiction or diversity grounds because the lawsuit may be based, at least in part, on alleged violations of federal statute. Moreover, a number of the data security and privacy lawsuits have been filed as class actions, and the requirements for defendants to establish complete diversity in class action lawsuits are less exacting than in other federal lawsuits—not to mention that the amount-in-controversy will almost certainly exceed $75,000. Savvy defense attorneys are keenly aware of the advantages of defending suit in federal court, from minimizing litigation fees and avoiding potential local bias against large, out-of-state corporations, to protecting businesses’ sensitive, proprietary information during discovery.
Videoconference platforms may also have certain defenses at their disposal, depending on the plaintiff’s legal basis for recovery. For instance, standing is a common defense in data breach lawsuits, which generally hinges on whether the plaintiff has alleged a sufficiently concrete injury that could possibly be remedied by a court of law. In a nutshell, the standing doctrine accounts for whether the proper party has filed the lawsuit. In this same vein, some consumer protection statutes contain narrow definitions of exactly who qualifies as a “consumer.”
Warranty claims, on the other hand, are typically governed by the relevant state’s version of the Uniform Commercial Code (UCC). One common procedural requirement among many states’ UCC provisions pertaining to breach of warranty claims is the requirement for the plaintiff to provide the defendant with pre-suit notice of the claim. Like any pre-suit demand letter, the primary purpose of the pre-suit notice is to (1) put the defendant on notice of the plaintiff’s intent to pursue a warranty claim against the defendant, and (2) encourage settlement or alternative resolution of the claim as soon as possible.
As for negligence claims, a plaintiff must prove (1) that the videoconference platform owed a legal duty of reasonable care to the plaintiff, (2) that the defendant breached its duty of care, (3) that the defendant’s breach was the factual and legal cause of the plaintiff’s injuries, and (4) that the plaintiff incurred actual damages. Therefore, videoconference platforms should evaluate whether the plaintiff has suffered actual damages, including physical injuries that can be quantified through medical records, or property damage. Without proof of actual damages, plaintiffs are barred from recovery on negligence claims. Likewise, the economic loss doctrine prevents plaintiffs from recovering on negligence claims if the plaintiffs’ alleged damages are solely for economic losses (e.g., loss of income or lost profits) as opposed to personal injury or property damage.
In several of the pending lawsuits against videoconference platforms, the plaintiffs allege that the platforms engaged in fraudulent business practices in providing the videoconference services. Whereas claims generally survive dismissal if the claims are legally and factually “plausible,” Federal Rule of Civil Procedure 9 requires plaintiffs to plead fraud-based claims, such as fraud, fraudulent concealment, and negligent misrepresentation, with a heightened degree of factual specificity. A plaintiff’s failure to comply with Rule 9’s heightened pleading standard (i.e., stating a specific factual basis for each fraud-based claim) can result in dismissal of the complaint.
By all indications, the shift to telework as the new conventional method of day-to-day business operation will likely continue well into the foreseeable future. To that end, videoconference services should closely monitor (and heed to) the outcomes in the flurry of data security and privacy lawsuits that have surfaced in the last year.