COVID-19 , Governance & Risk Management , Privacy
Zoom Agrees to Settle Security Lawsuit for $85 Million
Case Stems From Concerns About 'Zoom Bombing' and Other Issues
Cloud video conferencing provider Zoom has agreed to settle a consolidated class action federal lawsuit for $85 million as well as reform its security and data privacy practices, according to court documents filed in California.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The settlement, reached Saturday, awaits final approval later this year from U.S. District Judge Lucy Koh, who presides in San Jose, California, where Zoom is based.
The lawsuit stems from users' complaints about the company's data privacy and security practices, including instances in which customers had their video conferences interrupted by "Zoom bombing," in which attackers gained access to meeting passwords or bypassed security features and disrupted the proceedings with profanity and offensive images.
During the COVID-19 global pandemic, many organizations have turned to Zoom and other tech firms for video conferencing and collaboration services, which led to an increase in hacking attempts. At one point, the U.S. Justice Department warned that prosecutors could bring federal charges against those who disrupted meetings through Zoom bombing (see: Prosecutors: 'Zoom-Bombing' Could Lead to Charges).
In April 2020, an analysis by Citizen Lab, a group based at the University of Toronto that studies surveillance and its impact on human rights, found that although Zoom advertised that it used full end-to-end encryption, the company only deployed the inadequate AES-128 encryption standard within its cloud-based videoconferencing platform.
Since then, Zoom has rolled out enhanced end-to-end encryption using the AES 256-bit standard.
The Settlement's Provisions
Under the proposed settlement, Zoom would reimburse its customers 15% on their core video conference subscriptions or $25 - whichever is larger - while other plaintiffs could receive up to $15 as part of the reimbursement plan. The settlement covers Zoom customers who subscribed to the Zoom Meetings app between May 30, 2016, and July 30, 2021. It does not apply to enterprise or government accounts.
The settlement also calls for Zoom to pay plaintiffs' attorney fees, which total over $21 million.
Zoom has also agreed to roll out additional security and privacy protections.
"For example, Zoom agreed to provide in-meeting notifications to make it easier for users to understand who can see, save and share Zoom users' information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting," according to the court papers. "Separately, Zoom will ensure that its privacy statement will disclose the ability of Zoom users to share user data with third parties via integrations third-party software, or otherwise to record meetings, and/or to transcribe meetings."
Plus, the company - for a year - will stop its integration with Facebook's software development kit for Apple's iOS for Zoom meetings. The company must also ask Facebook to delete any U.S. user data from the software platform, the court papers note.
The settlement will also require that Zoom post information to parents of K-12 children who use the platform as part of their education. The FBI has previously warned that school meetings and classrooms that use video conferencing tools could be disturbed by hacking and zoom bombing stunts as well.
Under the proposed settlement, Zoom will not have to admit any wrongdoing.
While an $85 million settlement is not as large as some of the other legal actions tech companies are facing - Amazon announced Friday that it's looking at an $885 million fine under the EU's General Data Protection Regulation - the types of injunctive relief provisions found in these settlements are starting to have an impact when it comes to privacy and security, says Steven Teppler of the law firm Mandelbaum Salsburg P.C.
"These settlements are starting to address, at least on paper, the type of attention that these entities really need to have when it comes to handling personal information," Teppler says. "For many companies, these settlements are saying that they can't look at the general population as their beta testers and rush products out to market and worry about everything else later. And that's been the approach for many of these tech companies."
Teppler also notes that by agreeing to change the ways it handles customer data and third-party access to that data, Zoom is now in closer compliance with many state privacy and data protection laws such as the California Consumer Privacy Act.
"Zoom would now have to disclose how that information is shared or sold" under CCPA, says Teppler.
Zoom's Reaction
Reacting to the settlement, a Zoom spokesperson tells Information Security Media Group: "We take seriously the trust our users place in us. We are proud of the advancements we have made to our platform, and look forward to continuing to innovate with privacy and security at the forefront."
Despite concerns about privacy and security, Zoom's business has boomed during the pandemic. In its fiscal first quarter, which ended April 30, Zoom posted revenue of $956 million - up 191% compared to the same period a year earlier, and net income of $227 million, compared to just $27 million a year ago.
Other Actions
In May 2020, the New York state attorney general's office announced a settlement with Zoom in which the company agreed to provide better security and privacy controls for its videoconferencing platform (see: Zoom's New York Settlement Spells Out Security Moves).
Zoom also entered into an agreement with the U.S. Federal Trade Commission in November 2020 to improve security and data protection practices for its customers (see: FTC Settlement With Zoom Sets Security Requirements).
