FTC Settlement with Zoom Resolves Allegations of Cybersecurity Failures and Deceptive Security Practices

The U.S. Federal Trade Commission has reached a settlement with Zoom to resolve allegations that the teleconferencing platform provider misled its customers about the level encryption and had failed to implement appropriate cybersecurity protections for its users.

During the pandemic, use of the Zoom platform skyrocketed, with business users and consumers adopting the platform in the millions. The platform was used by consumers to maintain contact with friends and family, while remote workers used the platform to communicate with the office and collaborate while working from home. The platform proved to be extremely popular in healthcare for providing telehealth services and in education for communicating with students.

Zoom reported in its second quarter earnings call that it has seen 400% growth of corporate clients with more than 10 employees and around 300 million meetings were taking place each day. The massive increase in popularity attracted the attention of security researchers, who discovered multiple security vulnerabilities in the platform.

One of the main issues concerned encryption. Zoom stated on its website that the platform offered end-to-end encryption when this was not the case. Meetings were encrypted, but Zoom was able to access customer data. The company also stated AES 256 encryption was used, when encryption was only AES 128, and recorded meetings were immediately encrypted prior to storage.

Other cybersecurity issues included a Zoom software update that circumvented a browser security feature and a lack of security protections which allowed uninvited individuals to join meetings – termed Zoombombing. The company was also discovered to be sharing email addresses, photos, and user’s names with Facebook, albeit unwittingly.

The investigation by the FTC revealed Zoom had “engaged in a series of deceptive and unfair practices that undermined the security of its users.” A settlement was reached with the firm that requires the company to implement and maintain a comprehensive security program within 60 days.

The 17-page agreement details the steps that Zoom must take to ensure the security of its platform. They include conducting annual assessments on potential internal and external security risks and developing and implementing safeguards to reduce those risks to a low and acceptable level.

Additional safeguards must be implemented to protect against unauthorized access to its network, multi-factor authentication, steps must be taken to prevent the compromise of user credentials, and data deletion controls must be implemented. Zoom is required to review all software updates to identify potential security flaws prior to rollout and must ensure that any new features or security measures do not interfere with third party security features. The company must also implement a vulnerability management program.

Zoom has been prohibited from misrepresenting the security features of its platform to users, the categories of data accessed by third parties, and how data privacy and security are maintained.

Zoom must undergo a third-party audit by an independent security firm to ensure the company is complying with all requirements of the agreement and is successfully remediating risks. The agreement will last for 5 years, during which time the FTC will be monitoring Zoom for compliance.

Zoom avoided a financial penalty, but if the company is discovered to have violated the terms of the agreement or federal laws, financial penalties will be applied up to a maximum of $43,280 per violation.

“Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.