The Federal Trade Commission (“FTC”) announced a consent agreement with Zoom Video Communications, Inc. (“Zoom”) that requires the company to implement a comprehensive security program.

The settlement is in response to the FTC allegations that Zoom:

1. Made misleading claims about the level of encryption that gave users a false sense of security, especially for those who used the company’s platform to discuss sensitive topics such as health and financial information.
2. Zoom represented that it offered “end-to-end, 256-bit encryption” to secure users’ communications when in fact it provided a lower level of security.
3. Misled some users who wanted to store recorded meetings on the company’s cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended, when in fact some recordings were stored unencrypted for up to 60 days before being transferred to its secure cloud storage.
4. Compromised the security of some users when it secretly installed software, called a ZoomOpener web server, as part of a manual update for its Mac desktop application in July 2018. The ZoomOpener web server allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware. Without the ZoomOpener web server, the Safari browser would have provided users with a warning box, prior to launching the Zoom app, that asked users if they wanted to launch the app.

As part of the proposed comprehensive information security program, Zoom must take specific measures aimed at addressing the problems identified by the FTC:

1. assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
2. implement a vulnerability management program;
3. deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network; institute data deletion controls; and take steps to prevent the use of known compromised user credentials;
4. review all software updates for security flaws and must ensure that they do not hamper third-party security features
5. refrain from making misrepresentations about its privacy and security practices, including about how it collects, uses, maintains, or discloses personal information; its security features; and the extent to which users can control the privacy or security of their personal information;
6. obtain biennial assessments of its security program by an independent third party approved by the; and
7. notify the FTC if it experiences a data breach.

A copy of the consent can be found at: https://spelusolawoffice.com/wp-content/uploads/2020/11/1923167zoomacco2.pdf.