In 2021, Zoom faced a **$85 million class-action lawsuit settlement** due to allegations of **wrongful data sharing with third parties** and inadequate measures to prevent **unauthorized meeting disruptions ('Zoombombing')**. The lawsuit did not involve a traditional cyber breach, hacking, or data exfiltration but centered on **violations of privacy laws**, including improper handling of user data and failure to disclose tracking practices transparently. Plaintiffs argued that Zoom collected, shared, and mishandled personal information without proper consent, violating statutes like the **California Invasion of Privacy Act (1967)** and **federal wiretapping laws**. The case highlighted **non-breach privacy risks**, where companies face legal and financial repercussions for **non-compliance with data protection regulations** rather than direct cyberattacks. The settlement underscored the growing threat of **privacy litigation** tied to website tracking, data collection, and regulatory non-adherence, even without a security incident.
Source: https://www.businessinsurance.com/cyber-policies-evolve-with-data-privacy-risks/
Zoom cybersecurity rating report: https://www.rankiteo.com/company/zoom
"id": "ZOO35103935112525",
"linkid": "zoom",
"type": "Breach",
"date": "6/1967",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Millions (class-action '
'plaintiffs)',
'industry': 'Technology (Video Conferencing)',
'location': 'San Jose, California, USA',
'name': 'Zoom Video Communications',
'size': 'Large (Enterprise)',
'type': 'Public Company'},
{'industry': ['Online Retail',
'Technology',
'Any Data-Collecting Entity'],
'location': 'Global (Primarily USA, EU)',
'name': 'Unspecified Companies (General)',
'type': ['Public', 'Private', 'SMEs']}],
'customer_advisories': ['Companies should disclose data collection practices '
'transparently.',
'Users may request data deletion under laws like '
'California AB 656.'],
'description': 'Companies face cyber exposures and lawsuits due to violations '
'of federal/state privacy laws in data collection, handling, '
'or sharing—without a traditional security breach. Examples '
"include Zoom's $85M settlement (2021) for sharing user data "
"with third parties and failing to prevent 'Zoombombing.' "
'Rising privacy regulations (e.g., California AB 656, '
'GDPR-like state laws) and plaintiff lawsuits (e.g., under '
'VPPA, BIPA, or wiretapping statutes) exacerbate risks. '
'Insurers vary in covering non-breach privacy claims, with '
'some offering base coverage, endorsements, or exclusions. '
'Mitigation strategies include auditing website tracking '
'tools, updating privacy policies, and opt-in consent banners.',
'impact': {'brand_reputation_impact': 'High (due to publicized lawsuits and '
'regulatory scrutiny)',
'customer_complaints': ['Class-Action Lawsuits',
'Privacy Violations'],
'financial_loss': '$85M (Zoom settlement, 2021)',
'legal_liabilities': ['Class-Action Settlements',
'Regulatory Fines (Potential)',
'Statutory Damages'],
'operational_impact': ['Legal Defense Costs',
'Reputation Damage',
'Compliance Overhead']},
'investigation_status': 'Ongoing (Industry-Wide Trend)',
'lessons_learned': ['Non-breach privacy risks (e.g., wrongful data '
'collection/sharing) are as critical as traditional '
'breaches.',
'Proactive website audits (e.g., tracking tools, pixels) '
'reduce litigation risks.',
'Clear privacy policies and opt-in consent mechanisms are '
'essential for compliance.',
'Cyber insurance coverage for non-breach privacy claims '
'varies widely; policy reviews are critical.',
'Regulatory proliferation (e.g., state-level GDPR-like '
'laws) increases plaintiff opportunities.'],
'motivation': ['Financial Gain (Litigation)',
'Regulatory Enforcement',
'Consumer Protection'],
'post_incident_analysis': {'corrective_actions': ['Enhanced privacy policy '
'disclosures.',
'Removal of non-essential '
'tracking tools.',
'Opt-in consent mechanisms '
'for data collection.',
'Regular compliance audits '
'(e.g., annual privacy '
'policy reviews).',
'Collaboration with '
'insurers for risk '
'mitigation.'],
'root_causes': ['Lack of transparency in data '
'collection/sharing (e.g., Zoom).',
'Overuse of tracking technologies '
'(e.g., pixels) without consent.',
'Non-compliance with evolving '
'privacy regulations (e.g., BIPA, '
'VPPA).',
'Inadequate privacy policy '
'disclosures.']},
'recommendations': ['Conduct annual reviews of website tracking technologies '
'(e.g., pixels, cookies).',
'Implement opt-in consent banners for data collection.',
'Update privacy policies to align with evolving '
'regulations (e.g., CCPA, BIPA).',
'Work with insurers/underwriters to assess non-breach '
'privacy exposures.',
'Use AI tools to audit privacy policies for required '
'disclosures.',
'Remove unnecessary data collection tools lacking clear '
'business justification.',
'Monitor regulatory changes (e.g., California AB 656) and '
'adjust compliance programs.'],
'references': [{'source': "Business Insurance - 'Non-breach privacy exposures "
"a growing concern'"},
{'source': 'Zoom $85M Class-Action Settlement (2021)'},
{'source': 'California AB 656 (2023)',
'url': 'https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240AB656'},
{'source': 'Video Privacy Protection Act (VPPA, 1988)'},
{'source': 'Illinois Biometric Information Privacy Act (BIPA, '
'2008)'}],
'regulatory_compliance': {'fines_imposed': ['$85M (Zoom settlement)',
'Potential fines under BIPA/VPPA'],
'legal_actions': ['Class-Action Lawsuits',
'Regulatory Investigations'],
'regulations_violated': ['California Invasion of '
'Privacy Act (1967)',
'Federal Video Privacy '
'Protection Act (VPPA, '
'1988)',
'Illinois Biometric '
'Information Privacy Act '
'(BIPA, 2008)',
'State Wiretapping '
'Statutes',
'California AB 656 (2023, '
'Social Media Data '
'Deletion)',
'GDPR-like State Laws '
'(e.g., CCPA)'],
'regulatory_notifications': ['California AB 656 '
'Compliance',
'GDPR/EU-Aligned State '
'Laws']},
'response': {'communication_strategy': ['Public Settlements (e.g., Zoom)',
'Regulatory Disclosures'],
'enhanced_monitoring': ['Website tracking technology scans '
'(e.g., by Travelers)'],
'recovery_measures': ['Legal Defense Strategies',
'Compliance Program Enhancements'],
'remediation_measures': ['Removal of unnecessary tracking tools '
'(e.g., pixels)',
'Annual privacy policy updates',
'Opt-in consent banners on websites',
'AI-driven privacy policy audits'],
'third_party_assistance': ['Cyber Insurers (e.g., Resilience, '
'Axa XL, Travelers)',
'Legal Counsel',
'Privacy Consultants']},
'stakeholder_advisories': ['Cyber insurers recommend proactive privacy risk '
'assessments.',
'Legal counsel advises on compliance with '
'state/federal privacy laws.',
'Underwriters focus on website data '
'collection/sharing practices.'],
'threat_actor': ['Plaintiff Attorneys', 'Regulatory Bodies'],
'title': 'Non-Breach Privacy Exposures and Lawsuits in Cyber Insurance',
'type': ['Privacy Violation',
'Regulatory Non-Compliance',
'Class-Action Lawsuit']}