On May 7, 2020, the New York Attorney General announced she will not sue Zoom after it agreed to adopt enhanced data security and privacy measures to protect the data of its 300 million plus users. As COVID-19 social distancing policies radically change the way individuals and industries communicate, Zoom saw a reported 3,000 percent increase in meeting participants per day. According to the AG, reports of privacy and data security issues soon followed, including conferences interrupted by uninvited participants or “Zoombombing”, lack of end-to-end encryption, unauthorized disclosure of users’ personal information to other users without consent, and sharing personal information with Facebook.

The New York Attorney General has closed its investigation into Zoom after it agreed to (1) a comprehensive information security program and enhanced data security practices, (2) increased privacy controls, and (3) protection of users from online abuse, among other measures including audits. The Attorney General purports that the agreement will protect New Yorkers and users nationwide by ensuring Zoom’s compliance with the Children’s Online Privacy Protection Act (COPPA) and New York’s statute making unlawful any deceptive acts or practices, in addition to other protective laws.

Comprehensive Information Security Program and Enhanced Data Security Practices

Zoom has agreed to implement and maintain a comprehensive data security program that will be run by the company’s Head of Security.  The program will be designed to protect the security, confidentiality, and integrity of personal information that Zoom collects, receives, or processes and will include administrative, technical, and physical safeguards such as, among others:

  • conducting risk assessment and software code reviews to mitigate against vulnerabilities to hackers;
  • enhanced encryption protocols by encrypting users’ information both in transit and as stored online on their cloud servers;
  • operating a software vulnerability management program; and
  • annual penetration testing.

Increased Privacy Controls

Zoom has agreed to enhanced privacy controls for free accounts and education accounts by allowing hosts to:

  • control access to their video conferences by requiring a password or digital waiting room prior to accessing a meeting;
  • control access to private messages in a Zoom chat;
  • control access to email domains in a Zoom directory;
  • control who can share screens; and
  • limit participants of a meeting to specific email domains.

In addition, Zoom removed the Facebook SDK (which enabled users to login via Facebook) and removed its LinkedIn Navigator feature to curtail unnecessary data disclosure.

Protection of Users from Abuse

Zoom agreed to continue to maintain reasonable procedures to enable users to easily report violations of Zoom’s Acceptable Use Policy and will update its policy to clarify that prohibitions against abusive conduct include hatred against others based on race, religion, ethnicity, national origin, gender, or sexual orientation.