Encryption & Key Management , Governance & Risk Management , IT Risk Management

FTC Settlement With Zoom Sets Security Requirements

Agency Requires Comprehensive Security Program
FTC Settlement With Zoom Sets Security Requirements

As part of a settlement of allegations that Zoom "engaged in a series of deceptive and unfair practices that undermined the security of its users," the U.S. Federal Trade Commission is requiring video conferencing provider to implement and maintain a comprehensive security program within the next 60 days.

See Also: Panel | Encryption is on the Rise! Learn How to Balance Security with User Privacy and Compliance

The 17-page agreement announced Monday comes after allegations that Zoom did not maintain a high level of cybersecurity and misled its customers concerning the level of encryption provided for meetings, saying it was AES 256 when it was actually AES 128.

"During the pandemic, practically everyone - families, schools, social groups, businesses - is using videoconferencing to communicate, making the security of these platforms more critical than ever," Andrew Smith, director of the FTC's Bureau of Consumer Protection, says. "Zoom's security practices didn't line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected."

Zoom did not provide end-to-end 256-bit encryption for Zoom meetings as it had advertised, the FTC says. And the company misled users by claiming to immediately encrypt recorded meetings prior to storing them in its cloud storage facility.

"We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC,” a Zoom spokesperson tells Information Security Media Group. “Today's resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience." (See: Zoom to Offer End-to-End Encryption for All Users)

Security Actions Required

The FTC settlement describes the steps Zoom must take, including:

  • Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
  • Implement a vulnerability management program;
  • Deploy safeguards such as multifactor authentication to protect against unauthorized access to its network, institute data deletion controls and take steps to prevent the use of known compromised user credentials;
  • Require Zoom personnel to review any software updates for security flaws and ensure the updates will not hamper third-party security features.

Although no financial penalties were issued with the settlement, the FTC says any future violations could cost Zoom up to $43,280 for each.

Surge in Popularity

When the COVID-19 pandemic began, much of the workforce shifted to remote offices and school shifted to remoted learning. This led to a surge in the use of cloud-based video conferencing and collaboration platforms, including Zoom.

During Zoom's second-quarter earnings call on Sept. 1, executives revealed that the number of corporate clients with more than 10 employees had grown by more than 400% in the past year to more than 370,000, according to MarketWatch.

Zoom executives also claimed about 300 million meetings take place on its platform daily.

This explosion in popularity also resulted in the company's security and privacy shortcomings being exposed. This included so-called "Zoom bombing" hacking incidents as well as the company inadvertently sharing user's email addresses, photos and names with Facebook by default (see: Zoom Still Addressing Security, Privacy Concerns).

Zoom's New York Settlement

In May, Zoom reached an agreement with the New York state attorney general's office that had many of the same requirements as the FTC settlement (see: Zoom's New York Settlement Spells Out Security Moves).

As part of the New York settlement, Zoom agreed to implement "reasonable encryption and security protocols," for customer and corporate data. This includes the use of end-to-end encryption for all data as well as deploying industry-standard AES-256 encryption.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.