The FTC Reaches a Settlement with Zoom over Deceptive and Unfair Data Security Practices

Since the beginning of the COVID-19 pandemic, a web-conferencing platform Zoom has been a popular go-to resource for online meetings, conferences, and virtual classrooms.  The number of Zoom users skyrocketed from 10 million in December of 2019 to 300 million in April of 2020. As its popularity soared, the platform has been criticized extensively over its privacy and security policies and practices and has found itself on the receiving end of the regulatory actions as well as civil litigation.

On November 9, the Federal Trade Commission announced as a settlement with Zoom that will require the company to implement a robust information security program to settle allegations that it engaged in a series of deceptive and unfair practices in violation of Section 5(a) of the Federal Trade Commission Act.

Specifically, the FTC’s Complaint alleges that Zoom mislead its users by asserting that it offered “end-to-end, 256-bit encryption” of their communications when in fact Zoom maintained the cryptographic keys that could allow it to access the content of the users’ meetings.  Furthermore, Zoom Meetings were secured with a lower level of encryption than promised.

Zoom also falsely claimed that recorded meetings on the company’s cloud storage were encrypted immediately after the meeting when in fact some recordings were stored unencrypted on the company’s servers for up to two months.

The FTC further alleged that Zoom compromised the security of its users when it secretly installed software, called a ZoomOpener web server, as part of an update for its Mac desktop application. The ZoomOpener web server allowed Zoom to bypass an Apple Safari browser safeguard that protected users from a common type of malware.  Furthermore, ZoomOpener remained on the users’ computers even after they deleted the Zoom application and could even automatically reinstall the Zoom app.

As part of the settlement, Zoom will be mandated to implement a comprehensive information security program which will require it to assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks; implement a vulnerability management program; deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials.

Zoom will also be obligated to review software updates for security flaws and ensure the updates will not impede third-party security features, and will be prohibited from making misrepresentations about its privacy and security practices and security features and the extent to which users can control the privacy or security of their personal information.  In addition, the company will be required to obtain biennial assessments of its security program by an independent third party approved by the FTC and would have to have to notify the FTC in case of a data breach.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653