Security Architecture, Cloud Security, Security Strategy, Plan, Budget, Security Staff Acquisition & Development, Leadership, Governance, Risk and Compliance, Compliance Management, Privacy

‘A lot of late nights’: Zoom’s compliance chief reflects on the year that was the pandemic

The pandemic tested businesses of all sizes and across all markets. But some specific companies faced unusual circumstances. Take Zoom, for example, which struggled to respond to privacy and security controversies amid exploding demand.

Zoom was founded a decade ago, reached a $1 billion valuation and "unicorn" status by 2017, and completed an initial public offering only two years later. On April 30, 2020, roughly one month after the world essentially shut down, Zoom  joined the NASDAQ-100 stock index  – among a small pool of tech companies deemed able to keep businesses and individuals alike connected amid the pandemic.

But with rapid growth comes hurdles. Within months of shutdowns, a string of security controversies emerged. Among them, the discovery that the app was not end-to-end encrypted as advertised, and that between 2018 and 2019, a “ZoomOpener” webserver module was installed on Macs that bypassed Apple’s security.

Those challenges and others were met by quick response. Zoom announced a flurry of new security efforts: it rolled out end-to-end encryption, hired former Salesforce executive Jason Lee as a new chief information security officer, and added support for two-factor identification. Zoom also contracted with Bugcrowd to run a bounty program, and entered an agreement with the Federal Trade Commission to follow standardized processes for video file naming, personal data deletion, and investigating security events.

Did the company emerge better for it all? From a business perspective one might say yes; Zoom is now trading at more than $300 a share. But the events of the last year also reflect well upon the company culture, said Lynn Haaland, who joined Zoom as chief compliance and ethics officer in January 2020 – only months before the pandemic took hold. SC Media caught up with Haaland to get her take on challenges and lessons learned during a year transformed by the COVID-19.

You joined Zoom only two months before the world quite literally transformed. Looking back over the last year, what was the most significant shift that the company needed to make to accommodate customer demands, but also adhere to high standards of customer security and privacy protection?

Haaland: The sudden influx of users was the ultimate pressure test for us – and we had to learn fast, and are still learning, how to best serve the privacy and security of those new consumers. 

Usage of Zoom grew from 10 million meeting participants per day in December 2019 to 300 million in April 2020, and we found ourselves working around-the-clock to ensure that businesses, schools, and others across the world could stay secure, connected and operational. Naturally, Zoom's increased popularity among consumers and shift from a primarily enterprise product made it more of a target for bad actors, which required us to take proactive steps to protect the user experience for consumers (who do not have the benefit of large IT departments to help them optimize their security and privacy practices). 

The steps we took included hiring experienced advisers to help us review and ensure best practices for consumers, updating default settings to enable more meeting security features by default, and rolling out features to help hosts more easily access in-meeting security controls – including controlling screen sharing, removing and reporting participants, and locking meetings, among other actions. We also took significant strides to directly educate users on security best practices for setting up their meetings, including via blogs, videos, and by hosting a weekly webinar to provide privacy and security updates to our community. 

Ultimately, all of these changes were just the first step for us to better serve our users. We are more committed than ever to protecting privacy and security, while delivering an exceptional product. 

How were differing demands across industries (government versus business versus consumer) managed all within a pretty short window?

A lot of late nights! Like many companies, it was a challenging time for us.  But ultimately, it was a rewarding one because we all worked so closely together. It came down to Zoom having a culture that emphasizes organizational agility, flexibility and collaboration. We also worked hand-in-hand with customers, including large banks, educational institutions, government agencies and countless others to help address their nuanced needs. I think we all were especially proud of being able to support so many K-12 schools. 

What are you most proud of in terms of the evolution that emerged during the last year for Zoom?

I have been most proud of Zoom’s ability to rise to the challenge. We were and are in a privileged position to be able to help, and I’m so impressed with how our team handled the massive influx of new users and the new security and privacy features and resources we implemented to help support this increased adoption.

Where we had room for improvement, we did our best to be transparent, learn and improve. Transparency is a value championed by the executive team here at Zoom. For example, when our CEO Eric [Yuan] encounters an issue, he is honest about it and seeks input from others to collaboratively develop a solution. I believe this continued commitment to transparency was integral to our successful navigation of the pandemic.

Is privacy from your perspective an internal endeavor (ensuring Zoom complies with standards and regulations) or a cooperative one with the user community? How, if at all, did your team and Zoom as a company partner with users to better ensure privacy amid this rapid surge of usage?

Both initiatives are key parts of our approach to privacy. Holistically, it’s about consistently reviewing your policies for potential areas of improvement, and making sure they’re aligned with evolving best practices. And it’s also important to continuously strive to communicate your policies as clearly and transparently as possible. 

Compliance with privacy standards and regulations is obviously critical and something we are constantly monitoring on a global basis and adapting to as needed. And we always welcome perspectives that help us go above and beyond both in terms of policy and transparency, which does include seeking feedback from the community. In fact, some of the changes we have made on the privacy front have been driven by suggestions we’ve received from industry leaders, non-profit organizations and others.

Some see the Biden administration as poised to tackle privacy regulations at a national scale. What would be your best case scenario in terms of privacy regulation, and what might you view as more challenging from a compliance standpoint?

As you might suspect, I’m not going to speculate on administration policy, but I think in general we are seeing continued movement – both domestically and abroad – towards enhanced data privacy. This is something that resonates strongly with our culture at Zoom. Privacy and security are of the utmost importance to us, so we are generally in favor of policies that move the needle towards more user protections and less non-essential data collection, while still allowing for innovation.

Of course, the biggest impact of any such regulations will be on advertising-driven businesses. Zoom does not sell advertising. Its business model is entirely different — and built on selling services to companies and people.

You spent quite a bit of time at PepsiCo prior to Zoom. I imagine the privacy priorities/demands were quite different. How might you compare and contrast your experiences and focus areas? 

The primary difference is that more of my responsibilities at Zoom are focused on ensuring we have the policies and features in place to protect the data and privacy of our customers and our users. At PepsiCo, my responsibilities were more focused on the traditional elements of an effective compliance and ethics program. But there are many similarities, too – in particular, both organizations’ commitment to a speak-up culture and lifelong learning.

Speaking up is a foundational piece of the culture here at Zoom, and it is rooted in our emphasis on caring and empathy. (Zoom's value is to care. We care for our customers, employees, company, community, and selves.) The company encourages feedback from both inside and outside of the organization. If someone outside of the company has an issue, often Eric’s first question is, “did we call them and talk to them about it?” And if an employee has a question or a concern, we are encouraged to raise it via one of many established channels at the company, as well as openly with one another. Teamwork and collaboration are at the heart of being a video communications platform, and being open to others’ concerns is critical to succeeding in those areas.

With regards to lifelong learning, both PepsiCo under Indra Nooyi and Zoom under Eric have been strong supporters of the idea that our journey as students is never over. At Zoom specifically, we have a reimbursement program for books that we purchase to grow our skillsets and worldviews. There is encouragement and an expectation of continuing to learn, reflect and push yourself to be the best that you can be.

Jill Aitoro

Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.