Allegations
Zoom engaged in deceptive practices by misleading users about the encryption protection provided on its services. Zoom continually emphasized to its users that it offered "end-to-end, 256-bit encryption" to secure users' communications over its services. However, Zoom did not maintain legitimate end-to-end encryption and instead provided a lower level of encryption. In addition, Zoom maintained keys that allowed it to access the content of its users' meetings.
Zoom also did not disclose to its users that it installed software called ZoomOpener as part of its update on Mac devices in
Security Requirements
In the settlement terms, Zoom must make several adjustments for a more robust security program. The security adjustments include the below.
First, it must assess and annually document any potential internal and external security risks. The annual assessment must be provided to the board of directors or governing body, or if none exists, to a senior officer responsible for the security program. A senior corporate manager, or other senior officer, must provide an annual certification to the
Second, Zoom must implement a vulnerability management program. This includes conducting vulnerability scans of Zoom's networks and systems at least once a quarter and maintaining policies to promptly remediate or mitigate any critical or high severity vulnerabilities (in no later than thirty days after the vulnerability is detected).
Third, Zoom must deploy the following safeguards: multi-factor authentication to prevent unauthorized access to its network; data deletion controls; and management to prevent the use of known compromised user credentials. In addition, Zoom must notify the
Fourth, Zoom personnel must receive security trainings on at least an annual basis. Training requirements also include secure software development principles, including secure engineering and defensive programming concepts for developers and engineers. Zoom security personnel are also required to review software updates for security flaws and must ensure that updates do not hamper third-party security features. When reviewing for security flaws, Zoom security personnel are required to review commonly known vulnerabilities, including those identified by the
Fifth, Zoom must obtain biennial assessments of its security program by an independent third party, which the
What's Next
The
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Miss
DC 20006
© Mondaq Ltd, 2020 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source