IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

FTC finalizes settlement with Zoom

Failure to comply could bring financial penalties

Digital lock with the Zoom logo

The Federal Trade Commission (FTC) has finalized its settlement with video conferencing company Zoom, threatening strict penalties if the service fails to uphold government-mandated security requirements.

The FTC investigated Zoom last year and complained that it had misled users by claiming to offer end-to-end 256-bit encryption, when it actually maintained the encryption keys. The company also stored unencrypted meeting data on its servers for up to 60 days before moving it to secure cloud storage, the complaint said.

The FTC also alleged Zoom secretly installed software bypassing anti-malware protections for Mac users and left it there, even after users deleted the Zoom app.

Zoom originally settled with the FTC in November 2020, which required the company to tighten its security controls. It still had to publish a description of the consent agreement package in the Federal Register and allow 30 days for public comment, after which it was allowed to issue the final order.

The order forbids Zoom from misrepresenting the service's security features or controls. It also mandates an information security program, under which the company puts safeguards in place to protect individuals' data, which it calls Covered Information. 

If a data breach occurs, Zoom must assess any risks to data security that it caused. It must implement a security review of any new meeting services or updates to existing ones and conduct a quarterly vulnerability scan.

The company must also use a range of technical protections to shield user data from snoopers. These include a randomized naming system when saving video recordings on users' local devices, strong password authentication, and the use of automated tools and rate-limiting to detect bots and brute-force attacks.

The final order also makes direct reference to data encryption, calling for "protections, such as encryption, tokenization, or other same or greater protections, for Covered Information collected, maintained, processed, or stored by Respondent, including in transit and at rest."

The lack of end-to-end encryption was especially worrying given Zoom routes some information through Chinese servers, which the University of Toronto's Citizen Lab revealed in a report on the company's security practices. Zoom suspended three user accounts for hosting meetings on topics disagreeable to the Chinese government.

Zoom has already begun making some changes. The company bowed to pressure from privacy activists in June 2020, announcing it would offer end-to-end encryption to all users, not just paying ones. It began offering that feature in a technical preview last October.

If Zoom violates this final consent order, each violation could incur up to a $43,280 civil penalty, the FTC warned in its original settlement announcement.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

NOAA unveils two new supercomputers in effort to better predict extreme weather
high-performance computing (HPC)

NOAA unveils two new supercomputers in effort to better predict extreme weather

29 Jun 2022
Google aims to court US public sector with new division
public sector

Google aims to court US public sector with new division

29 Jun 2022
Costa Rica declares state of emergency following Conti ransomware attack
ransomware

Costa Rica declares state of emergency following Conti ransomware attack

10 May 2022
LinkedIn to pay $1.8 million to employees after settling gender discrimination charges
Careers & training

LinkedIn to pay $1.8 million to employees after settling gender discrimination charges

4 May 2022

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022