When the NY AG comes a knocking … Zoom responds to privacy and security concerns. What are they? Is it enough?

Posted byGDPRsimple Leave a comment on When the NY AG comes a knocking … Zoom responds to privacy and security concerns. What are they? Is it enough?

As I wrote in a blog last week, Zoom meetings now require a password.  In that blog, I wondered what was causing Zoom to add this requirement at this time.  I speculated it could be a new security incident but couldn’t find any evidence of such an occurrence.  Now we know the reason was Zoom’s May 7th letter agreement with the New York Attorney General.  That agreement requires Zoom to increase its privacy controls by allowing hosts to:

  • Control access to their video conferences by requiring by default a password or waiting room before accessing a Zoom meeting;
  • Control access to private messages in a Zoom chat;
  • Control access to email domains in a Zoom directory;
  • Control who can share screens;
  • Limit participants in a Zoom meeting to specific email domains; and
  • Limit participants with accounts to the extent applicable.

Furthermore, the agreement requires Zoom to implement and maintain a comprehensive information security program that includes the following administrative, technical and physical safeguards:

  • Designation of employee(s) to coordinate and be accountable for the information security program;
  • Identification of material internal and external risks to the security, confidentiality and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction or other compromises of such information, and assessment of the sufficiency of any safeguards in place to control these risks;
  • Design and implementation of reasonable safeguards to control the risks identified through the conduct of a risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems and procedures;
  • Design and implementation of a security code review process to identify and remediate common security vulnerabilities; and
  • Evaluation and adjustment of the information security program in light of the results of the required testing or monitoring.

The agreement also requires Zoom to engage in the following additional security practices:

  • Employment of reasonable encryption and security protocols, including encrypting all personal information at rest in persistent storage on its cloud servers and encrypting all personal information in transit on the Zoom app and Zoom software;
  • Development and maintenance of reasonable procedures to address credential stuffing attacks;
  • Adherence to industry standards for preserving user security when bypassing operating security system measures; and
  • Continuing to operate a vulnerability management program to address known vulnerabilities and have reasonable safeguards to discover and fix new vulnerabilities.

The entire letter agreement between Zoom and the New York Attorney General can be found here.  In anticipation of the announcement of its agreement with the New York Attorney General, on April 27th Zoom released Zoom 5.0 which delivers

  • AES 256-bit GCM encryption
  • Report a User feature
  • New encryption icon
  • Enhanced data center information
  • Enhancements to ending/leaving meetings

Zoom’s blog announcing these and other security functionalities can be found here.

Leave a comment

Your email address will not be published. Required fields are marked *