FTC Zoom Settlement Requires Upgrades to Security
Zoom engaged in deceptive practices by misleading users about the encryption protection provided on its services. Zoom continually emphasized to its users that it offered “end-to-end, 256-bit encryption” to secure users’ communications over its services. However, Zoom did not maintain legitimate end-to-end encryption and instead provided a lower level of encryption. In addition, Zoom maintained keys that allowed it to access the content of its users’ meetings.
Zoom also did not disclose to its users that it installed software called ZoomOpener as part of its update on Mac devices in July 2018. ZoomOpener allowed Zoom to bypass an Apple Safari browser safeguard that normally would have provided users with a warning box prior to launching the Zoom app. The ZoomOpener would remain on users’ computers even when users deleted the Zoom app. Apple removed ZoomOpener from users’ devices through an automatic update in July 2019.
In the settlement terms, Zoom must make several adjustments for a more robust security program. The security adjustments include the below.
First, it must assess and annually document any potential internal and external security risks. The annual assessment must be provided to the board of directors or governing body, or if none exists, to a senior officer responsible for the security program. A senior corporate manager, or other senior officer, must provide an annual certification to the FTC that the settlement requirements have been implemented and continue to be maintained. The certification must be based upon the senior corporate manager’s personal knowledge. This is consistent with recent FTC rulings that require engagement on privacy and security issues from the board-level.
Second, Zoom must implement a vulnerability management program. This includes conducting vulnerability scans of Zoom’s networks and systems at least once a quarter and maintaining policies to promptly remediate or mitigate any critical or high severity vulnerabilities (in no later than thirty days after the vulnerability is detected).
Third, Zoom must deploy the following safeguards: multi-factor authentication to prevent unauthorized access to its network; data deletion controls; and management to prevent the use of known compromised user credentials. In addition, Zoom must notify the FTC if it experiences a data breach.
Fourth, Zoom personnel must receive security trainings on at least an annual basis. Training requirements also include secure software development principles, including secure engineering and defensive programming concepts for developers and engineers. Zoom security personnel are also required to review software updates for security flaws and must ensure that updates do not hamper third-party security features. When reviewing for security flaws, Zoom security personnel are required to review commonly known vulnerabilities, including those identified by the Open Web Application Security Project and National Vulnerability Database.
Fifth, Zoom must obtain biennial assessments of its security program by an independent third party, which the FTC has authority to approve. The assessments involve a review of any gaps or weaknesses in, or instances of material noncompliance, with the settlement requirements, and review of specific documents and interviews. The biennial assessments will continue for a period of twenty years, which is the length of the settlement order.
The FTC will take public comments for thirty days on the proposed settlement. The proposed settlement can be found in its entirety here.
- Related Practices