New York State AG Probe of Zoom Results in Enhanced Cybersecurity Practices

Patterson Belknap Webb & Tyler LLP
Contact

Patterson Belknap Webb & Tyler LLP

The Zoom videoconferencing platform has been a constant fixture in recent news as the coronavirus pandemic has caused businesses around the world to flock to it, exposing significant cybersecurity and privacy concerns.  These concerns drew the attention of the New York State Attorney General’s Office (“NYAG”), which initiated an investigation into the company’s cybersecurity practices in March, following a massive surge in use.  The NYAG’s investigation came to a conclusion on May 7, 2020, when it reached a settlement with Zoom that will require Zoom, among other things, to enhance its practices around cybersecurity and data privacy. 

The NYAG’S settlement with Zoom is set forth in a letter from the NYAG Bureau of Internet and Technology.  There, the NYAG recounted a number of issues Zoom encountered as its usership increased from approximately 10 million daily participants to nearly 200 million, in the short period between January and March 2020.  These issues include the leak of personal information, the collection of personal data by third-parties, and uninvited Zoom conference disruptions, often driven by an intent to “harass participants on the basis of … race, gender, religion, or … membership in another historically marginalized class.”  As we have written about previously on this blog, these issues have led to private suits, and a warning by the FBI about the perils of using Zoom.  

To address these and other issues, Zoom agreed to implement a comprehensive information security program, to be administered and maintained by a designated Head of Security.  As part of that program, Zoom will be required to:

  • identify material internal and external risks that could compromise personal information, and assess any measures in place to control those risks;
  • develop additional measures to mitigate the risks identified, and monitor the effectiveness of the key controls, systems, and procedure associated with those measures with regularity;
  • implement a “security code review process” to identify and address common security vulnerabilities, as well as a “vulnerability management program” to address known vulnerabilities, and discover and fix new ones; and
  • develop reasonable encryption and security protocols in accordance with evolving industry standards.

Zoom will also offer educational materials regarding privacy controls to consumers, students, and universities, and maintain procedures that enable “easy” reporting of violations of its Acceptable Use Policy; with reports of misconduct to be investigated by Zoom.  Additionally, Zoom will facilitate external monitoring of its platform, including through a portal for the submission of complaints regarding cybersecurity concerns, and a “bug bounty program” for researchers and the public to report platform vulnerabilities in exchange for financial rewards.

In its effort to enforce appropriate cybersecurity practices, the NYAG will receive copies of Zoom’s annual data security compliance audits.  In recognition of Zoom’s cooperation, and its provision of valuable services to schools, local governments, and health care institutions attempting to address the obstacles created by the global pandemic, the NYAG has declined to initiate proceedings. 

Notably, many of the information and data security features of the Zoom settlement are substantially similar to those recommended by New York State’s newly enacted Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act.  That Act, which significantly amended New York’s data breach notification law, requires covered businesses to, among other things, implement reasonable measures to protect against the inadvertent disclosure of personal information and implement a data security program.  The SHIELD Act also authorizes the NYAG to bring an action against businesses that fail to enact these measures.  Examples of safeguards listed within the SHIELD Act include the implementation of a security program with a designated leader; the identification of reasonably foreseeable internal and external risks; and an assessment of the safeguards in place to address those risks.  Prior posts on the SHIELD Act can be found here, here and here.

Up to this point, the New York State Department of Financial Services (“DFS”) has taken a leading role in setting cybersecurity standards.  In 2017, DFS revealed Cybersecurity Regulation designed to address cybersecurity in the banking and insurance industries.  That regulation requires covered entities to certify their compliance with the regulation, which mandates the implementation of a dedicated cybersecurity program, the designation of a Chief Information Security Officer, and an incident response plan, among other things.  The breadth and scope of that regulation is extensive, and has been the subject of prior posts. But the NYAG’s settlement with Zoom seems to indicate that there may be a new sheriff in town when it comes to cybersecurity enforcement.

Either way, with the addition of the SHIELD Act, New York State has broadened the scope of its enforcement toolbox.  And with the potential increase in enforcement activity, New York State appears to be taking a comprehensive approach to combatting cybersecurity and privacy concerns. 

Tune in here as we continue to monitor efforts by regulators to protect what has become a largely “virtual” public.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

Patterson Belknap Webb & Tyler LLP
Contact
more
less

Patterson Belknap Webb & Tyler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.