Zoom Shareholder Litigation as COVID-19 Exposes Online Service’s Security Risks

By Stephanie Resnick and John C. Fuller
May 8, 2020

 

While much of the country remains under work and travel restrictions designed to contain the spread of COVID-19, lawsuits continue to be filed and a recent action filed against Zoom Video Communications, Inc. may be a cautionary tale for directors and officers about litigious landscape of our “new normal.” As Zoom — and every business — has experienced, the COVID-19 pandemic is placing unprecedented stresses on companies, their managers and their resources. How directors and officers help management plan for, communicate, and implement the corporate response to the virus is the key to limiting potential legal claims from disgruntled stakeholders.

Zoom, a provider of video conferencing communications, has become a household name during the COVID-19 pandemic. To conduct business meetings, attend classes, and hold virtual social gatherings, Zoom has become a constant in many American homes. Zoom’s CEO recently stated that Zoom’s daily active users had grown from 10 million in December 2019 to over 200 million in April 2020.

Unfortunately, just as Zoom started to become ubiquitous in-home offices around the country, flaws in its data security came to light on a national scale. The phenomenon of “zoombombing” —hackers entering business and personal Zoom meetings without authorization — led numerous organizations to use other video conferencing providers. This rapid increase in share value followed by a relative decline after data security concerns arose has now led to shareholder litigation.

On April 1, 2020, Zoom shareholder Michael Drieu filed a putative class action complaint against Zoom, its CEO and CFO. Drieu alleges that deficiencies in Zoom’s encryption software were known to officers since at least July 2019, but that no action was taken to remedy the issues. Drieu further alleges that discovery of these failures — particularly as Zoom ascended to widespread use during the pandemic — directly resulted in lost share value.

Drieu alleges violations of the Exchange Act based on the defendants’ purported acts and omissions in reporting the weaknesses Zoom’s security.

Preparing for the Unknown

While few companies will experience Zoom’s stress of unprecedented demand for their services during the COVID-19 pandemic, all companies will face novel strains and challenges on their workforce and corporate resources.

All directors and officers need to anticipate the stress both the pandemic and likely recession will place on their organizations. Among the risks that Directors and Officers should be examining are: liability relating directly to contamination, business interruption preparedness, post-pandemic planning and ensuring that the company does not lose sight of its existing reporting obligations.

For business that are still operating to provide essential functions, the first concern is the health of employees, customers and business partners. Many states and municipalities have instituted requirements for the use of masks and some are requiring that employers provide necessary personal protective equipment as well as clean and appropriately distanced break opportunities. To the extent a company may be subject to such regulation, the board must ensure that the company is tracking regulatory changes and ensuring full compliance. Beyond mandated action; however, the Board should also examine the potential for direct liability for contamination or infection of employees or customers and the reasonable care that the company is taking to create clean and safe environments for business.

Business Interruption Planning and Communication

Most companies are experiencing some form of business interruption. If companies did not have contingency plans in place when the pandemic began, boards have been called on to develop these plans in short order. As the pandemic persists, boards need to continually update and adjust contingency plans to reflect government restrictions, potential assistance programs, and any other available information from credible sources.

In addition to addressing lost productivity and customers, contingency plans should also address potential strains on and weaknesses in data security, accounting, and supply chain, processes and technologies which may be tested as employees work remotely and existing checks and balances my falter.

In addition to contingency planning, the directors and officers need to ensure that they are effectively communicating the financial impact of any business interruptions. Boards should regularly review and revise financial forecasts and budgets as developments with the pandemic and contingency plans unfold. Unfortunately, allegations that the board failed to appreciate or disclose the financial impact of COVID-19 may form the basis of litigation once the virus subsides (or before in the case of Zoom). Therefore, effective communication of changing economic realities to internal and external stakeholders may be one of the Boards most important roles.

Planning for the “New Normal”

Directors and officers can also help managers who are dealing with the day-to-day impact of the pandemic by planning for the days when virus and containment measures subside. The COVID-19 pandemic is a not a singular catastrophe from which a company must now recover, instead gradual reopening will mean ongoing interruptions in supply chains and customer demand for months to come. Boards should consider forming a special committee to give thought to what the post-pandemic world may look like for the company. For instance, open-plan offices or co-working spaces may not be safe options for many months and necessitate longer-term remote work plans. Other industries may need to prepare for consumer shifts toward social distance and contactless transactions. Boards can play an important role in helping the company envision and adapt to a changed world.

While boards can help plan for the future, they can also help the company ensure that it does not lose sight of its existing due diligence, reporting and disclosure obligations. Boards can support management by remaining focused on financial disclosure and regulatory reporting obligations and any corporate due diligence that will come due while management is dealing with day-to-day fallout. As discussed above, maintaining communication, performing due diligence, and making appropriate disclosures to regulators and stakeholders may be one of the board’s most important functions during this challenging period.

The Zoom shareholder litigation demonstrates that even following tremendous gains because of the demand for video conferencing, a dip in share value will ultimately lead to litigation, especially if the officers and directors knew about problems with the company’s systems and did not take appropriate measures to cure any deficiencies. Unfortunately, for directors and officers who are navigating the unprecedented challenges of the pandemic, they must also prepare for legal claims from stakeholders who will hold them accountable for any misstep.

Stephanie Resnick is Chair of the Directors’ & Officers’ Liability & Corporate Governance Practice Group at Fox Rothschild, and John Fuller is a partner at Fox Rothschild.