(May 5, 2020) - Zoom Video Communications Inc. and two of its executives misled investors when they failed to reveal that the video, chat and content-sharing platform had inadequate data privacy protections, according to a shareholder lawsuit.
Drieu v. Zoom Video Communications Inc. et al., No. 20-cv-2353, complaint filed, 2020 WL 1696810 (N.D. Cal. Apr. 7, 2020).
The complaint, filed April 7 in the U.S. District Court for the Northern District of California, says investors paid artificially inflated prices for Zoom stock between its April 18, 2019, initial public offering, and April 6, when Yahoo Finance reported that users’ account data had been posted to the dark web.
Zoom and its executives knew the company’s communication platform had software encryption vulnerabilities that left it prone to hackers, but nevertheless touted its cybersecurity capabilities in IPO documents, Securities and Exchange Commission filings, and investor earnings calls, the suit says.
The misrepresentations caused a “precipitous decline” in the company’s stock once its security issues were widely revealed, according to the proposed class-action complaint.
In addition to Zoom, the suit names as defendants President and CEO Eric S. Yuan and Chief Financial Officer Kelly Steckelberg.
Jennifer Pafiti of Pomerantz LLP is representing the plaintiff, shareholder Michael Drieu.
Alleged software vulnerabilities
According to the suit, reports of Zoom’s data privacy problems began emerging as early as July 8, 2019, when a security researcher uncovered a flaw allowing hackers to remotely activate users’ webcams.
Later that month, the Electronic Privacy Information Center filed a Federal Trade Commission complaint against Zoom, alleging the company “intentionally designed” its platform to bypass web browser security settings, exposing users to remote surveillance and unwanted video calls.
Despite knowing about such vulnerabilities, the defendants continued to tout Zoom’s privacy and data protection measures through mid-March, Drieu says.
The defendants falsely represented that Zoom used end-to-end encryption, a security measure that prevents third parties from reading or modifying data, according to the complaint.
In addition, the company wrongfully relied on boilerplate representations and risk warnings in offering documents and SEC filings throughout 2019 and early 2020 that were not tailored to Zoom’s known cybersecurity weaknesses, the suit says.
Zoom and its executives also omitted in public filings and statements information about the company’s data-sharing practices; namely, that it was collecting and sending analytics to Facebook without giving users proper notice, the suit says.
The suit claims that the extent of Zoom’s security failings were not “laid bare” until the coronavirus outbreak, when use of the communications platform spiked and multiple news sources began to report on its deficiencies.
On April 3, financial news website The Street reported that Yuan had dumped $38 million in company stock throughout the first three months of 2020 and that other executives had similarly sold millions of shares.
The defendants allegedly violated the anti-fraud provisions in Section 10(b) of the Securities Exchange Act, 15 U.S.C.A. § 78j(b), and Securities and Exchange Commission Rule 10b-5, 17 C.F.R. § 240.10b-5.
In addition, the individual defendants acted as control persons in violation of Section 20(a) of the Securities Exchange Act of 1934, 15 U.S.C.A. § 78t(a), the complaint says.
Drieu seeks a declaratory order certifying the class; damages, including pre- and post-judgement interest; and costs associated with the action.