Amidst the coronavirus pandemic, remote meetings have become “the new normal,” with Zoom, seemingly overnight, becoming the platform of choice. Zoom’s success is attributable to the fact that “it just works.” Of course, the double-edged sword of success is the attention it attracts.
Earlier this year, Zoom’s stock price rose while most other stocks fell in value. Now Zoom is being sued in two shareholder class actions, both on the basis of Zoom’s handling—or mishandling—of security. Regulators and politicians are also said to be looking into Zoom’s security (and inherent privacy) flaws.
Zoom’s CEO Eric Yuan apologized, essentially to the world, and announced that the company will pause on new feature development in favor of enhancing security. I previously wrote about some of those security issues here.
Whether it be Zoom, Facebook, or any other company that comes under scrutiny for privacy or security issues, you’ll notice the headlines never read “Zoom’s director of product development apologizes” or “Zoom’s chief information officer testifies before Congress.” Yet, all too often the C-suite attempts to “delegate and forget” the responsibility for security to the IT Department or treats it as a “problem for later” rather than a design problem at the outset. Under this corporate strategy, IT’s assignment often comes with a mandate to reduce spend and a lack of authority to impact business operations. This is not just the wrong approach, it is essentially executive malpractice, as demonstrated by the previously mentioned shareholder suits and regulatory inquiries.
What to do? Simple. Security is now a strategic issue for your company. You appoint a head of security, and instead of making them a third-tier check-box, you give them a full seat at the table, along with the invitation and the obligation to speak up when security (and privacy) is implicated in business operations.
Security must become cultural and a strategic initiative at every company, public and private, small and large. I say this with the backing of the California Consumer Privacy Act, the General Data Protection Regulation, the Federal Trade Commission Act, every states’ data breach notification law, the Plaintiff’s Bar and all of the other rules and laws that are in development which are only going to tighten security and demand increased privacy.
From a marketing and crisis communications perspective, having to address security issues is also not good for business. In that sense, WebEx, Microsoft Teams, GoToMeeting, Skype and FaceTime got lucky vis-à-vis Zoom
So, in addition to appointing a head of security, what else can we do? First and foremost, write a corporate privacy policy. Then, incorporate a version of it into your corporate mission statement and roll it out to the company. Draft all of the procedures that fall under the policy to ensure the policy is carried out. Create a written and updated data breach plan. Develop a meaningful corporate website privacy policy. Craft a written information security plan. Create policies and procedures that embed security and privacy into the design, development and rollout of your products and services. Draft procedures for addressing consumer inquiries under the California Consumer Protection Act (and GDPR). Discuss security with your IT department. Develop a five-year plan and budget strategy for defending against threats. Review and consider if you have insurance for data breach response, ransomware, spear phishing, wire fraud and the like.
If you do end up suffering a breach, you’ll be able to point to all the things you are doing to demonstrate how seriously you took the issue of security. No security is perfect—it is an ongoing iterative process—but the law does not demand perfection. Rather, the law demands companies be reasonable and that can be accomplished one step at time.
