Amid the nation-wide “work from home” routine necessitated by the COVID-19 pandemic, an extraordinary number of businesses turned to the Zoom Video Communications’ video conferencing platform. As the use of the Zoom platform increased, so did scrutiny of Zoom’s data security practices, which in turn produced a flurry of class action lawsuits against Zoom for “violation of its duty to implement and maintain reasonable security procedures and practices.” Like many technology providers, Zoom’s Terms of Service stated that Zoom will “maintain reasonable physical and technical safeguards to prevent unauthorized disclosure of or access … in accordance with industry standards.”
The proposed class actions against Zoom are illustrative of a challenge many businesses face: What is “reasonable” data security? Organizations in regulated industries typically have more data security parameters, e.g., Health Insurance Portability and Accountability Act Security Rule, Vermont’s Securities Regulations Cybersecurity Procedures and South Carolina’s Insurance Data Security Act. Businesses operating outside regulated industries must sift through a patchwork of laws, guidance and enforcement actions.
