Amidst multiple investigations into the privacy and security practices at Zoom Video Communications (“Zoom”), New York Attorney General Letitia James recently announced a settlement agreement with Zoom after the failings of the platform were brought to light by the spike in Zoom video conference participants amid the COVID-19 pandemic.
With the outbreak of COVID-19, countless schools and businesses turned to Zoom to conduct their day-to-day-operations. By April 2020, Zoom hosted approximately 300 million daily meeting participants on its platform – compared to just 10 million daily meeting participants in January – which amounted to a 3000% increase. This exponential increase in users exposed Zoom’s security and privacy flaws, including Zoom’s lack of end-to-end encryption, leakage of users’ personal information, and Zoom’s sharing of users’ personal information with Facebook. We previously wrote about Zoom’s alleged privacy and security failures here.
“Our lives have inexorably changed over the past two months, and while Zoom has provided an invaluable service, it unacceptably did so without critical security protections,” said Attorney General James in the press release announcing the settlement agreement. The settlement agreement recognized that Zoom fully cooperated with the investigation and acted quickly to address identified issues.
Describing the settlement, Attorney General James noted, “This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don’t have to worry while participating in a video call.” Among other things, the agreement requires Zoom to implement the following security measures:
- Zoom will designate a Head of Security who will implement and maintain a comprehensive information program to protect the security, confidentiality, and integrity of the personal information Zoom collects, receives or processes. The information program will, among other things, identify internal and external risks to the security and integrity of the users’ personal information, implement reasonable safeguards to control the risks, and design a security code review process to identify and remediate common security vulnerabilities.
- Zoom will enhance its encryption and security protocols by encrypting all personal information (both in transit and as stored online on Zoom’s cloud servers) and upgrading its protocols as industry standards evolve.
- Zoom will also develop and maintain reasonable procedures to deal with credential stuffing attacks, including providing a more robust evaluation process for password resets.
- Zoom will comply with industry standards for preserving user security when Zoom bypasses operating system security measures.
- Zoom will continue to operate a vulnerability management program to address known vulnerabilities and fix new vulnerabilities.
- Zoom will offer educational materials about privacy controls, and enhance privacy controls for free accounts as well as K-12 education accounts, which will provide users control access to their video conferences, private messages in the Zoom chat, and email domains in a Zoom directory.
- Zoom is required to provide a copy of its annual SOC 2 report to the Attorney General, and implement a risk-based penetration-testing program.
- Zoom will maintain a bug bounty program for the public to report vulnerabilities in Zoom’s platform along with a portal for users, consumer advocates and watchdogs groups to submit complaints pertaining to privacy and security concerns.
- Zoom will continue to take steps to stop sharing users’ data with third party social media platforms, including Facebook and LinkedIn.
Zoom’s settlement agreement with the New York Attorney General follows the company’s separate agreement with the New York City Department of Education (NYC DOE), whereby the company will enhance protections for city schools, students, and educators after the NYC DOE halted the use of Zoom across the city’s digital classrooms in April. The settlement officially closes the NY investigation into Zoom, but does not imply the company admits or denies the allegations. Hackers have continued to target remote workers using Zoom during the pandemic. The latest involves fake Zoom videoconference meeting notifications.
Companies should consider the security measures prescribed by the settlement agreement to be meaningful guidance as to the New York Attorney General’s privacy and security expectations.