On November 9, 2020, the Federal Trade Commission announced it had entered into an consent agreement (the “Proposed Settlement”) with Zoom Video Communications, Inc. (“Zoom”) to settle allegations that the video conferencing provider engaged in a series of unfair and deceptive practices that undermined the security of its user base, which, according to the FTC, has grown from 10 million users in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.
According to the FTC complaint, since at least 2016, Zoom misled users by promising it offered “end-to-end, 256-bit encryption” to secure users’ Zoom meetings when it actually provided a lower level of encryption. The FTC also alleged that Zoom engaged in other unfair and deceptive practices in violation of the FTC Act, including maintaining the cryptographic keys that could allow it to access the content of its customers’ meetings, storing some meeting recordings unencrypted on its servers for up to two months, and failing to disclose that it installed a web server on users’ computers to allow them to enter into meetings faster. The complaint states that Zoom’s misleading claims gave users a false sense of security, especially for those who used the platform to discuss sensitive topics such as health and financial information.
As part of the Proposed Settlement, Zoom agrees to implement a comprehensive security program that includes a number of security measures, such as:
- assessing and documenting on an annual basis any potential security risks and developing ways to safeguard against such risks;
- implementing a vulnerability management program;
- deploying safeguards such as multi-factor authentication, instituting data deletion controls, and taking steps to prevent the use of known compromised user credentials; and
- reviewing software updates for security flaws and ensuring that updates will not hamper third-party security features.
Zoom also is prohibited from misrepresenting its privacy and security practices, and must obtain biennial assessments of its security program by an independent third party.
The FTC indicated that it will publish a description of the consent agreement package in the Federal Register soon, after which the agreement will be subject to public comment for 30 days.