HIPAA and Compliance News

Zoom Settles with NY AG Over COVID-19-Related Privacy, Security Issues

As COVID-19 drove Zoom participation up 2,000 percent, reports found serious privacy and security risks in the platform; the New York AG settlement will enforce security controls requirements.

Zoom videoconferencing privacy and security risks cybersecurity controls risk management investigation

By Jessica Davis

- Zoom settled with New York Attorney General Letitia James on May 7, following a state-led investigation into the videoconferencing platform. James launched an investigation after a number of privacy and security failings were brought to light by the spike in Zoom participants amid the COVID-19 pandemic.

“Our lives have inexorably changed over the past two months, and while Zoom has provided an invaluable service, it unacceptably did so without critical security protections,” James, said in a statement. “As the coronavirus continues to spread across New York State and this nation and we come more accustomed to our new normal, my office will continue to do everything in its power to help our state’s residents and give them every tool to continue living their lives.”

In January, Zoom averaged about 10 million daily meeting participants, which skyrocketed 2,000 percent to approximately 200 million daily participants after the national emergency declaration and use of the platform was offered for free or reduced cost to schools, healthcare, and others in need.

For healthcare, the Office for Civil Rights listed the Zoom platform as an acceptable tool to use for telehealth amid the pandemic.

But as the number of participants increased, the privacy and security risks became more apparent. Earlier this year, it was discovered Zoom automatically shared some data with Facebook, which Zoom promptly corrected.

READ MORE: New COVID-19 Phishing Campaigns Target Zoom, Skype User Credentials

Hackers have also continued to leverage the platform’s popularity targeting its domains, users, and even meetings, with “Zoombombing” attacks, where unauthorized users gain access and disrupt private meetings. Reports have also shown the platform does not employ end-to-end encryption for all use cases.

In response, Sen. Richard Blumenthal, D-Connecticut launched an inquiry into the platform. Zoom has acknowledged some of its shortcomings, noting the platform was not prepared to handle such an increase in traffic. All feature development has been halted and Zoom enacted a CISO Council, while it focuses on these privacy and security issues.

According to the settlement obtained by New York, Zoom fully cooperated with the NY AG and responded quickly to identified privacy and security concerns. Those measures included changing default settings, adding features to bolster user privacy, and removing questionable features that could impact privacy.

Further, the latest Zoom 5.0 platform does address many outstanding issues, including implementing 256-bit GCM encryption standard.

The agreement secured by New York with require Zoom to continue to implement protections that will give users better control over their privacy and security. The vendor will need to comply with state law and not misrepresent the collection, maintenance, and safeguarding of users’ personal data and regulate the “abusive activity” on the platform.

READ MORE: Zoom Enacts CISO Advisory Board, as COVID-19 Fuels Privacy Issues

Zoom must also continue to designate a head of security, who will report to the CEO on a quarterly basis and semi-annually to the board of directors. The security head will be tasked with implementing and maintaining a comprehensive information security program able to secure and maintain confidentiality of personal user data collected, received, and processed by Zoom.

The program must be fully documented in writing and include administrative, technical, and physical safeguards, such as identifying both internal and external risks to the confidentiality and integrity of user data and performing an assessment of the effectiveness of the safeguards established to control risk.

Zoom must implement reasonable safeguards to control all risks identified in the assessment and perform routine testing or monitoring of the safeguards’ effectiveness, including the controls, systems, and procedures.

It will also need a security code review process “to identify and remediate common security vulnerabilities.” The information security program will also need to be evaluated and adjusted in response to the testing or monitoring required by the settlement.

Zoom has agreed to implement “reasonable encryption and security protocols,” including for all data at rest in persistent storage in its cloud servers, as well as all personal data in transit “where the user fails to utilize a Zoom app or Zoom software for the transmission.” Encryption and security will need to be upgraded as industry standards evolve.

READ MORE: Zoom Domains Targeted by Hackers, as Use Surges with COVID-19

The settlement also requires Zoom implement procedures to address credential stuffing attacks, including whether a login request is made by an actual user or through automation. The platform will also need automatic password resets for any affected credentials.

Industry standards will now be required for user security when operating system security measures are bypassed. And the company will need to continue operating a vulnerability management program, which must include promptly addressing known vulnerabilities.

The settlement also included a host of privacy requirements, such as continuing to offer educational materials about privacy controls, while maintaining “reasonable user-facing controls for users who create free accounts,” including access controls and allowing the host to control who can share screens.

“Zoom has implemented and shall continue to maintain a risk-based penetration-testing program reasonably designed to identify, assess and remediate security vulnerabilities, which shall include at least one annual white box penetration test,” according to the settlement.

“Zoom shall continue to maintain a portal for users, consumer advocates and watchdog groups to submit complaints involving privacy and data security concerns. Zoom shall review all complaints within a reasonable time after receipt,” it continued.

The settlement officially closes the investigation into Zoom but does not imply the company admits or denies the allegations. The hope is that Zoom can readily bolster the privacy and security of its platforms, as hackers have continued to target remote workers using Zoom during the pandemic. The latest campaign leverages fake Zoom videoconferencing meeting notifications.