- Last week Zoom and New York Attorney General Letitia James came to an agreement to implement additional security guardrails, according to an announcement from the AG's office.
- After the AG launched an investigation about five weeks ago, Zoom agreed to implement a comprehensive data security program designed and managed by its head of security. Zoom is expected to perform routine risk assessments of code and "enhance its encryption protocols by encrypting users' information, both in transit and as stored online on their cloud servers," according to the announcement.
- From the privacy perspective, Zoom is expected to provide all hosts default access control, including those with free accounts. The company has also reduced the user data it shares with Facebook and shut down the LinkedIn Navigator feature.
When everyone — schools, businesses, governments — shifted to online work this spring, Zoom took on a lot of new users and heat. But the platform has also become a crucial part of maintaining normalcy and productivity, showcased by steady growth in platform activity. The platform hosted 300 million daily meeting participants last month, up from 200 million in March.
Because "Zoom-bombing" interrupted virtual workspaces, including elementary schools, "these were upsetting incidents and gained much publicity," Cynthia Larose, member and chair of Mintz's Privacy and Cybersecurity Practice, told CIO Dive. Zoom's rapid growth "magnified problems that were there before the COVID outbreak and that Zoom was already aware of."
Though Zoom stopped sharing user data with other parties, including Facebook, there's a lingering question of if or how the company violated consumer rights protected by the California Consumer Privacy Act. "Any business covered by the CCPA, communications platforms or otherwise, should be well into its compliance program by now," said Larose.
Like Zoom, Cisco clarified any collection of meeting transcripts are for the users' records, not for company use. Consumer Reports included evaluations of Google Hangout, Meet and Microsoft's Teams and Skype, concluding users should "assume you're being recorded" and adopt third-party privacy solutions.
As Zoom carries out its agreements with the AG, the company has to submit its annual data security assessment report "for the term of the agreement," according to the announcement. The settlement agreement "provides another roadmap for companies to reference in their own privacy and security assessments," according to Larose.