HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Zoom Reaches Settlement with NY Attorney General Over Privacy and Security Issues

Zoom has reached an agreement with the New York Attorney General’s office and has made a commitment to implement better privacy and security controls for its teleconferencing platform.

Zoom has proven to be one of the most popular teleconferencing platforms during the COVID-19 pandemic. In March, more than 200 million individuals were participating in Zoom meetings with usership growing by 2,000% in the space of just three months. As the number of users grew and the platform started to be used more frequently by consumers and students, flaws in the platform started to emerge.

Meeting participants started reporting cases of uninvited people joining and disrupting private meetings. Several of these “Zoombombing” attacks saw participants racially abused and harassed on the basis of religion and gender. There were also several reported cases of uninvited individuals joining meetings and displaying pornographic images.

Then security researchers started uncovering privacy and security issues with the platform. Zoom stated on its website that Zoom meetings were protected with end-to-end encryption, but it was discovered that Zoom had used AES 128 bit encryption rather than AES 256 bit encryption and its end-to-end encryption claim was false. Zoom was also discovered to have issued encryption keys through data centers in China, even though meetings were taking place between users in the United States.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Zoom used Facebook’s SDK for iOS to allow users of the iOS mobile app to login through Facebook, which meant that Facebook was provided with technical data related to users’ devices each time they opened the Zoom app. While Zoom did state in its privacy policy that third-party tools may collect information about users, data was discovered to have been passed to Facebook even when users had not used the Facebook login with the app.  There were also privacy issues associated with the LinkedIn Sales Navigator feature, which allowed meeting participants to view the LinkedIn profiles of other meeting participants, even when they had taken steps to remain anonymous by adopting pseudonyms. The Company Directory feature of the platform was found to violate the privacy of some users by leaking personal information to other users if they had the same email domain.

Zoom responded quickly to the privacy and security issues and corrected most within a few days of discovery. The firm also announced that it was halting all development work to concentrate on privacy and security. The company also enacted a CISO Council and Advisory Board to focus on privacy and security and Zoom recently announced that it has acquired the start-up firm Keybase, which will help to implement end-to-end encryption for Zoom meetings.

New York Attorney General Letitia James launched an investigation into Zoom after these security issues came to light. Under the terms off the settlement with the New York Attorney General’s office, Zoom has agreed to implement a comprehensive data security program to ensure its users are protected. The program will be overseen by Zoom’s head of security. The company has also agreed to conduct a comprehensive security risk assessment and code review and will fix all identified security issues with the platform. Privacy controls will also be implemented to protect free accounts, such as those used by schools.

Under the terms of the settlement, Zoom must continue to review privacy and security and implement further protections to give its users greater control over their privacy. Steps must also be taken to regulate abusive activity on the platform.

“This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don’t have to worry while participating in a video call,” said Attorney General James.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.