FTC requires video conferencing provider to improve security safeguards
On November 9, the FTC announced a settlement with a video conferencing provider, resolving allegations that the company violated the FTC Act by misleading users about the levels of encryption and security offered for securing communications during meetings. The FTC’s complaint alleges that, since at least 2016, the company engaged in a series of deceptive and unfair practices by claiming it offered end-to-end encryption to secure users’ communications and—according to the FTC’s press release—“tout[ing] its level of encryption as a reason for customers and potential customers to use [its] videoconferencing services.” The FTC contends that the company actually maintained a lower level of security, which allowed the company access to the contents of users’ meetings, including sensitive personal information, and allegedly secured these meetings with a lower level of encryption than promised. Users who wanted to store recorded meetings using cloud storage provided by the company were told that the meetings were immediately encrypted, but in certain instances, unencrypted meeting recordings were allegedly stored on company servers for up to 60 days before being transferred to the secure cloud storage. In addition, the company allegedly compromised some users’ security by secretly installing software that would allow users to join a meeting by bypassing a browser safeguard designed to protect users from a common type of malware. According to the FTC, the company, among other things, failed to implement any measures to protect users’ security, failed to monitor service providers who had access to the network, lacked a systematic process for incident response, and allegedly increased users’ risk of remote video surveillance by strangers.
The proposed settlement order requires the company to (i) assess and document security risks; (ii) develop ways to manage and safeguard against such risks; (iii) deploy additional methods, including multi-factor authentication, to protect against unauthorized access of the network; and (iv) take other steps, such as implementing data deletion controls and preventing known compromised user credentials from being used. Company personnel must also review any software updates for security flaws to “ensure the updates will not hamper third-party security features.” Furthermore, the company is prohibited from misrepresenting its privacy and security practices, and is required to obtain biennial third-party assessments of its security practices (which the FTC has the authority to approve) and notify the FTC if it experiences a data breach.