Zoom Settles with FTC Over Deceptive Security Claims
Tuesday, November 10, 2020
Zoom Settles with FTC Over Deceptive Security Claims
Print Mail Download i

On November 9, 2020, the Federal Trade Commission announced it had entered into an consent agreement (the “Proposed Settlement”) with Zoom Video Communications, Inc. (“Zoom”) to settle allegations that the video conferencing provider engaged in a series of unfair and deceptive practices that undermined the security of its user base, which, according to the FTC, has grown from 10 million users in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.

According to the FTC complaint, since at least 2016, Zoom misled users by promising it offered “end-to-end, 256-bit encryption” to secure users’ Zoom meetings when it actually provided a lower level of encryption. The FTC also alleged that Zoom engaged in other unfair and deceptive practices in violation of the FTC Act, including maintaining the cryptographic keys that could allow it to access the content of its customers’ meetings, storing some meeting recordings unencrypted on its servers for up to two months, and failing to disclose that it installed a web server on users’ computers to allow them to enter into meetings faster. The complaint states that Zoom’s misleading claims gave users a false sense of security, especially for those who used the platform to discuss sensitive topics such as health and financial information.

As part of the Proposed Settlement, Zoom agrees to implement a comprehensive security program that includes a number of security measures, such as:

  • assessing and documenting on an annual basis any potential security risks and developing ways to safeguard against such risks;

  • implementing a vulnerability management program;

  • deploying safeguards such as multi-factor authentication, instituting data deletion controls, and taking steps to prevent the use of known compromised user credentials; and

  • reviewing software updates for security flaws and ensuring that updates will not hamper third-party security features.

Zoom also is prohibited from misrepresenting its privacy and security practices, and must obtain biennial assessments of its security program by an independent third party.

The FTC indicated that it will publish a description of the consent agreement package in the Federal Register soon, after which the agreement will be subject to public comment for 30 days.

Copyright © 2024, Hunton Andrews Kurth LLP. All Rights Reserved.

Current Legal Analysis

More from Hunton Andrews Kurth

Recent N.D. Ill. Ruling Upholds Common Interest Doctrine Over Communications Between Biometric Technology Vendors and Customers
by: Julia Y. Trankiem , Torsten M. Kracht
Senators Introduce Stablecoin Bill
by: Scott H. Kimpel
FTC Poised to Finalize Noncompete Rule
by: Katherine Pauly , Kevin Hahm
EDPB Issues Opinion on Pay-Or-Consent Models
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
Supreme Court Rules that MD&A Omission Does Not Give Rise to a Claim for Securities Fraud
by: Scott H. Kimpel , James V. Davidson
UK ICO Launches Latest Installment in the AI Consultation Series
by: Hunton Andrews Kurth’s Privacy and Cybersecurity
SCOTUS Decides That A Position Transfer May Violate Title VII If An Employee is Worse Off Due to Discriminatory Reasons
by: Emily Burkhardt Vicente , Steven J. DiBeneditto Jr.
IRS Issues New Favorable Pipeline Ruling for REITs
by: George C. Howell, III , Thomas W. Ford, Jr.
Treasury Proposes Stronger CFIUS Monitoring and Enforcement Rules
by: Sevren R. Gourley , Eric R. Markus
SAFETY Act Series, Part 1: The SAFETY Act Is Powerful Protection Against Emerging Liabilities
by: Lorelie S. Masters , Kevin W. Jones

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins