By Bradley O. Cebeci and Jennifer Cho

When the COVID-19 pandemic began, the way we live, work, learn and socialize shifted dramatically. Rather than showing up in the classroom or in the office, or meeting at a local restaurant on the weekend, we were forced to move everything online, often through videoconferencing platforms. One such platform, Zoom, offered by Zoom Video Communications, Inc. quickly became the videoconferencing platform of choice, with its user base skyrocketing from 10 million in December 2019 to 300 million daily meeting participants in April 2020.

With that popularity came increased scrutiny of Zoom’s privacy practices and risks. After numerous reports regarding a myriad of Zoom’s security vulnerabilities came to light, the Federal Trade Commission (FTC) launched its own probe into Zoom, which ultimately led to a complaint alleging that Zoom deceived consumers by making misrepresentations regarding privacy and data security.

According to FTC’s complaint, since at least 2016, Zoom represented to customers that it offered “end-to-end, 256-bit encryption” to secure users’ communications. End-to-end encryption is a method of securing communications so that only the sender and recipient(s)—and no other person, not even the platform provider—can read the content. FTC also pointed to Zoom’s claims on its website, in Security Guides, and in its privacy policy, that it takes “security seriously,” that it “places privacy and security as the highest priority,” and that it “is committed to protecting your privacy.” Zoom’s promises of security and privacy prompted non-traditional users of its platform, such as doctors, mental health professionals, schools, and others, to begin using Zoom’s videoconferencing services in great numbers.

However, it appears those promises turned out to be false. FTC’s complaint alleges that Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings with a lower level of encryption than promised. The FTC also alleged that Zoom misled some users who wanted to store recorded meetings on the company’s cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended. In reality, some recordings were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage. An investigation by The Washington Post found thousands of recordings of Zoom video calls unprotected and viewable on the open web, including those containing sensitive medical and financial information.

On February 1, 2021, FTC announced that it had finalized a settlement with Zoom in connection with these allegations. The final order requires Zoom to establish and implement a comprehensive security program, which includes taking specific measures aimed at addressing the problems identified in FTC’s complaint. For example, Zoom must assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks and deploy safeguards such as multi-factor authentication to protect against unauthorized access to its network. The settlement also requires Zoom to obtain biennial assessments of its security program by an independent third party and notify FTC if it experiences any data breach.

Given FTC’s allegations, companies should exercise caution when describing their security measures. Certainly, companies should avoid blatant misrepresentations, but even language that implies heightened security, including statements about how highly the company values privacy, may ultimately be construed as misleading.

Bradley O. Cebeci is a Partner, and Jennifer Cho is an Associate Attorney, with Rome & Associates, APC. Brad and Jennifer focus on Payments and Digital Marketing Law.