January 19, 2021

Volume XI, Number 19

Advertisement

January 19, 2021

Subscribe to Latest Legal News and Analysis

January 18, 2021

Subscribe to Latest Legal News and Analysis

Zoom Settles with FTC Over Deceptive Security Claims

On November 9, 2020, the Federal Trade Commission announced it had entered into an consent agreement (the “Proposed Settlement”) with Zoom Video Communications, Inc. (“Zoom”) to settle allegations that the video conferencing provider engaged in a series of unfair and deceptive practices that undermined the security of its user base, which, according to the FTC, has grown from 10 million users in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.

According to the FTC complaint, since at least 2016, Zoom misled users by promising it offered “end-to-end, 256-bit encryption” to secure users’ Zoom meetings when it actually provided a lower level of encryption. The FTC also alleged that Zoom engaged in other unfair and deceptive practices in violation of the FTC Act, including maintaining the cryptographic keys that could allow it to access the content of its customers’ meetings, storing some meeting recordings unencrypted on its servers for up to two months, and failing to disclose that it installed a web server on users’ computers to allow them to enter into meetings faster. The complaint states that Zoom’s misleading claims gave users a false sense of security, especially for those who used the platform to discuss sensitive topics such as health and financial information.

As part of the Proposed Settlement, Zoom agrees to implement a comprehensive security program that includes a number of security measures, such as:

  • assessing and documenting on an annual basis any potential security risks and developing ways to safeguard against such risks;

  • implementing a vulnerability management program;

  • deploying safeguards such as multi-factor authentication, instituting data deletion controls, and taking steps to prevent the use of known compromised user credentials; and

  • reviewing software updates for security flaws and ensuring that updates will not hamper third-party security features.

Zoom also is prohibited from misrepresenting its privacy and security practices, and must obtain biennial assessments of its security program by an independent third party.

The FTC indicated that it will publish a description of the consent agreement package in the Federal Register soon, after which the agreement will be subject to public comment for 30 days.

Advertisement
Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 315
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement