The Zoom videoconferencing platform has been a constant fixture in recent news as the coronavirus pandemic has caused businesses around the world to flock to it, exposing significant cybersecurity and privacy concerns. These concerns drew the attention of the New York State Attorney General’s Office (“NYAG”), which initiated an investigation into the company’s cybersecurity practices in March, following a massive surge in use. The NYAG’s investigation came to a conclusion on May 7, 2020, when it reached a settlement with Zoom that will require Zoom, among other things, to enhance its practices around cybersecurity and data privacy.
The NYAG’S settlement with Zoom is set forth in a letter from the NYAG Bureau of Internet and Technology. There, the NYAG recounted a number of issues Zoom encountered as its usership increased from approximately 10 million daily participants to nearly 200 million, in the short period between January and March 2020. These issues include the leak of personal information, the collection of personal data by third-parties, and uninvited Zoom conference disruptions, often driven by an intent to “harass participants on the basis of … race, gender, religion, or … membership in another historically marginalized class.” As we have written about previously on this blog, these issues have led to private suits, and a warning by the FBI about the perils of using Zoom.
To address these and other issues, Zoom agreed to implement a comprehensive information security program, to be administered and maintained by a designated Head of Security. As part of that program, Zoom will be required to:
- identify material internal and external risks that could compromise personal information, and assess any measures in place to control those risks;
- develop additional measures to mitigate the risks identified, and monitor the effectiveness of the key controls, systems, and procedure associated with those measures with regularity;
- implement a “security code review process” to identify and address common security vulnerabilities, as well as a “vulnerability management program” to address known vulnerabilities, and discover and fix new ones; and
- develop reasonable encryption and security protocols in accordance with evolving industry standards.
Zoom will also offer educational materials regarding privacy controls to consumers, students, and universities, and maintain procedures that enable “easy” reporting of violations of its Acceptable Use Policy; with reports of misconduct to be investigated by Zoom. Additionally, Zoom will facilitate external monitoring of its platform, including through a portal for the submission of complaints regarding cybersecurity concerns, and a “bug bounty program” for researchers and the public to report platform vulnerabilities in exchange for financial rewards.
In its effort to enforce appropriate cybersecurity practices, the NYAG will receive copies of Zoom’s annual data security compliance audits. In recognition of Zoom’s cooperation, and its provision of valuable services to schools, local governments, and health care institutions attempting to address the obstacles created by the global pandemic, the NYAG has declined to initiate proceedings.
Notably, many of the information and data security features of the Zoom settlement are substantially similar to those recommended by New York State’s newly enacted Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act. That Act, which significantly amended New York’s data breach notification law, requires covered businesses to, among other things, implement reasonable measures to protect against the inadvertent disclosure of personal information and implement a data security program. The SHIELD Act also authorizes the NYAG to bring an action against businesses that fail to enact these measures. Examples of safeguards listed within the SHIELD Act include the implementation of a security program with a designated leader; the identification of reasonably foreseeable internal and external risks; and an assessment of the safeguards in place to address those risks. Prior posts on the SHIELD Act can be found here, here and here.
Up to this point, the New York State Department of Financial Services (“DFS”) has taken a leading role in setting cybersecurity standards. In 2017, DFS revealed Cybersecurity Regulation designed to address cybersecurity in the banking and insurance industries. That regulation requires covered entities to certify their compliance with the regulation, which mandates the implementation of a dedicated cybersecurity program, the designation of a Chief Information Security Officer, and an incident response plan, among other things. The breadth and scope of that regulation is extensive, and has been the subject of prior posts. But the NYAG’s settlement with Zoom seems to indicate that there may be a new sheriff in town when it comes to cybersecurity enforcement.
Either way, with the addition of the SHIELD Act, New York State has broadened the scope of its enforcement toolbox. And with the potential increase in enforcement activity, New York State appears to be taking a comprehensive approach to combatting cybersecurity and privacy concerns.
Tune in here as we continue to monitor efforts by regulators to protect what has become a largely “virtual” public.