The New York Attorney General has entered into a settlement agreement with Zoom Video Communications concerning Zoom’s privacy and data security practices. NY Attorney General Letitia James explained that “while Zoom has provided an invaluable service [during the coronavirus pandemic], it unacceptably did so without critical security protections…This agreement puts protections in place so that Zoom users have control over their privacy and security.”
In addition to highlighting that Zoom must comply with applicable state and federal law, the agreement mandates (i) the designation of a Head of Security and employees to coordinate security compliance, and (ii) the implementation of a comprehensive information security program that is reasonably designed to protect the security, confidentiality and integrity of personal information collected, received or processed by Zoom.
Furthermore, it requires Zoom to: (a) encrypt personal information; (b) upgrade its security protocols and encryption as industry standards evolve; (c) provide educational materials regarding privacy controls and provide user controls for consumers, K-12 students, and universities; and (d) maintain an open channel of communication for consumer complaints and reports of vulnerabilities. Zoom also agreed to take measures to stop sharing user data with third party social media platforms, and to update and clarify its Acceptable Use Policy.
In the agreement, which NYAG stated its willingness to accept in lieu of commencing a statutory proceeding, Zoom is credited with cooperating in NYAG’s investigation, responding quickly to remediate security vulnerabilities, and taking steps to enhance privacy and security features.