Zooming In On Cyber Governance: Key Areas To Focus On

Zooming in on Cyber Governance: Key Areas to Focus On

Advisory Board Member, Jody Westby, CEO of Global Cyber Risk  LLC, authored this article which was originally published on July 14, 2020 in Forbes at this link

Shortly after the coronavirus shutdowns began in March 2020, businesses and people across the country started using Zoom for remote working, video meetings, and keeping up with family and friends. The virus that killed the economy was a blessing to the video/chat communications company; its subscriber base shot up from 10 million in December 2019 to 300 million by April 2020.

But with its popularity came more scrutiny, and privacy and security issues rained down upon the company in a never ending torrent.  From late March to June, Zoom had a slew of lawsuits filed against it, negative headlines appeared every few days in the global press, and the use of Zoom was banned by governments, companies, and schools.  The company is now engaged in a frantic effort to fix security holes, smooth over public relations snafus, and save itself.  Many of its problems, however, could have been avoided by better governance over privacy and cybersecurity issues.  A look at the issues Zoom has struggled with in a short 90-day period provides an excellent case study for directors and boards on digital oversight and offers lessons on how to avoid similar pitfalls.

What Zoom Got Wrong

 Zoom failed to understand that privacy and security are equivalent to trust in the marketplace.  It did not build privacy and security into the application’s development lifecycle and make it a centerpiece of its offering.  The company also did not take its privacy compliance requirements seriously and made numerous false statements in its privacy policy about what it was really doing with user data.  In addition, it was unprepared to manage security events and made seat-of-the-pants decisions on issues that resulted in uproars, more negative publicity, and apologies.

Reality hit on March 26 when Motherboard revealed that Zoom was sharing user analytics data from its iPhone app with Facebook, irrespective of whether the users had a Facebook account.  The next day the company announced that it was stopping the sharing of data with Facebook and apologized. Nevertheless, a class action lawsuit was filed against the company, claiming that data sharing amounted to an unauthorized disclosure of personal data in violation of the California Consumer Protection Act (CCPA) because its privacy policy did not disclose the  arrangement.

Next, Zoom classrooms were broken into (“bombed”) by hackers who displayed swastikas on students’ screens.  The New York Attorney General sent a letter to the company inquiring about its privacy practices, and the FBI issued a public warning about Zoom’s security vulnerabilities. Then, The Intercept reported that Zoom was not using the end-to-end encryption that it touted in its marketing materials.  Next, researchers starting finding bugs…software vulnerabilities that allowed password theft, enabled hackers to take control of microphones and webcams, allowed root access to MacOS desktops, and enabled the gathering of Zoom meeting IDs.

Zoom meetings continued to be crashed with shocking pornography, racist, and anti-Semitic images.  Then, Motherboard reported that Zoom was disclosing users’ email address and photos to strangers, the New York Times reported that a Zoom feature allowed some users to secretly access other users’ LinkedIn profile data, and the Washington Post found thousands of recordings and call records on the Internet exposing sensitive, personal data.  By this time, it was only April 3.

All of this resulted in Congress sending Zoom CEO Eric Yuan a letter asking for information about the company’s privacy practices and a second class action lawsuit was filed over the sharing of data with Facebook.  Further embarrassment occurred when the University of Toronto’s Citizen Lab revealed that Zoom was using a much weaker encryption than it claimed to be using and at least some of the encryption keys were issued from Zoom servers in China, which meant the Chinese government may have had access to Zoom meetings.

Yuan began sounding like Mark Zuckerberg, who is famous for apologizing and begging for forgiveness for privacy oversteps that Facebook has made. “I really messed up as CEO, and we need to win their trust back,” Yuan said to the Wall Street Journal. The parade of horribles continued the next day as Zoom acknowledged that some video calls were erroneously sent through two Chinese servers.  Then, a third class action lawsuit was filed, citing the unauthorized disclosures to Facebook, the misrepresentations about end-to-end encryption, and the vulnerability that let malicious actors use webcams.

By this time, it was April 9 and Zoom had a new list of embarrassments:

  • Senator Richard Blumenthal publicly urged the Federal Trade Commission to investigate Zoom over privacy and security concerns
  • S. school districts began banning the use of Zoom
  • The U.S. Department of Defense strictly reined in the use of Zoom
  • The U.S. Senate asked its members to stop using Zoom
  • Google banned the use of Zoom on company devices
  • Taiwan forbid its government agencies from using Zoom
  • Singapore suspended the use of Zoom for education
  • The German Ministry of Foreign Affairs banned the use of Zoom
  • A fourth class action lawsuit was filed – a shareholder suit claiming the company had violated the federal securities laws by misleading investors about Zoom’s “inadequate data privacy and security measures” and falsely represented its service had end-to-end encryption.
  • A fifth class action suit names Zoom, LinkedIn, and Facebook for improper data sharing.

In the month of April, Zoom was sued 17 times.  It is important to note that the foregoing is only a portion of the privacy and security issues that Zoom had to deal with between March 26 and April 9, 2020 – a span of 15 days. Serious Zoom security events continued to occur from April 9 into the month of June, including the posting of 500,000 Zoom usernames and passwords for sale on a criminal site, and Zoom zero day exploits offered for $500,000.  Numerous security issues remain unresolved.  The company has made a number of missteps in judgment, such as acquiescing to the Chinese government’s demands to suspend the accounts of dissidents (which resulted in more letters from Congress) and lying about the number of daily users it had, which impacted its stock price.

How To Exercise Privacy and Security Governance

Zoom’s unrelenting privacy and security issues have not been one-off events that can just happen to well-intentioned companies.  Instead, they reflect serious, systemic gaps and deficiencies in compliance and governance processes, the lack of a strong code of conduct and respect for privacy and security, poor crisis communications, and insufficient policies and procedures for software development.

Companies who desire to learn from Zoom’s misfortunes and avoid their mistakes should ensure their directors and boards adhere to the following:

Top Ten Privacy/Cybersecurity Governance Actions

  1. Adhere to best practices and standards for the governance of information security and undertake the specific responsibilities assigned to boards and senior management.
  2. Establish a culture of respect for privacy and security through top-level policies, actions, and enforcement.
  3. Assign key roles and responsibilities for privacy and cybersecurity to senior management personnel.
  4. Issue a Code of Conduct applicable to all employees, contractors, vendors, and business partners that requires honesty and transparency in business transactions and compliance with policies and procedures.
  5. Ensure that privacy and cybersecurity compliance issues are clearly identified and integrated into operational policies and procedures and the cybersecurity program.
  6. Require that all systems and code be designed, developed, tested, and maintained with privacy and security considered at every stage and code is developed according to secure coding practices.
  7. Ensure that software code undergoes regular code reviews and scans for vulnerabilities and risk assessments of cybersecurity programs are performed.
  8. Ensure that all privacy policies and public-facing information, especially marketing and securities information about the company and security of its systems and data, accurately reflect operational practices, especially with respect to the sharing and use of personal data.
  9. Require the escalation of serious privacy and security incidents to the senior management team and the board and ensure that privacy and security incidents are integrated into crisis communications plans.
  10. Identify the key information flows that are required to keep the board informed about the foregoing and put in place an oversight process that includes monitoring the status of key risks.

Cybercriminals are relentless and new privacy laws are empowering consumers and regulators.  The days of boards just asking interesting questions about cybersecurity and privacy a couple of times a year are over.  ISO standards, laws, and regulations require companies to connect the dots between the data they collect, how they protect it, and who they share it with. They are required to accurately and transparently provide this information to shareholders and users. They are also expected to develop secure systems that cannot be hacked and exploited and put users at risk.  Zoom found out the hard way.  You can learn from their lessons.

Jody R Westby

I am CEO of Global Cyber Risk and provide consulting services, focusing on cyber risk assessments, incident response plans, cyber governance, and digital asset inventories and data mapping. I also serve as Adjunct Professor at Georgia Institute of Technology's School of Computer Science. I chair the American Bar Association’s Privacy & Computer Crime Committee, co-chair the Cybercrime Committee, and serve on the ABA President's Cybersecurity Task Force. I have served as co-chair of the World Federation of Scientists’ Permanent Monitoring Panel on Information Security and was appointed to the United Nation’s ITU High Level Experts Group on Cyber Security. I speak globally and am co-author and editor of The Quest for Cyber Peace and four books on privacy, security, cybercrime, and enterprise security programs. I was lead author of the Governing for Enterprise Security Implementation Guide for boards and senior management and am author of the 2008, 2010, and 2012 CyLab Governance Survey Reports and 2015 GA Tech Governance of Cybersecurity Report. I graduated magna cum laude from Georgetown University Law School and am a member of the Order of the Coif, American Bar Foundation, and Cosmos Club.

Leave a Reply

Back To Top