FTC finalizes settlement with video conferencing company
On February 1, the FTC finalized a settlement with a video conferencing provider, resolving allegations that the company violated the FTC Act by misleading users about the levels of encryption offered for securing communications during meetings. As previously covered by InfoBytes, in November 2020, the FTC announced a proposed consent order with the video conferencing provider alleging, among other things, that the company failed to implement any measures to protect users’ security, failed to monitor service providers who had access to the network, lacked a systematic process for incident response, and allegedly increased users’ risk of remote video surveillance by strangers, even though the company “touted its level of encryption as a reason for customers and potential customers to use [its] videoconferencing services.” In a 3-2 vote, the FTC finalized the proposed settlement, which (i) prohibits the company misrepresenting its privacy and security practices; (ii) includes a mandated information security program, which requires the company to assess and document security risks, develop ways to manage and safeguard against such risks, and deploy additional methods, including multi-factor authentication, to protect against unauthorized access of the network; and (iii) requires the company to obtain biennial third-party assessments of its security practices.
Acting Chairwoman Slaughter and Commissioner Chopra issued two dissenting statements, with Slaughter arguing that the final order does not adequately address the company’s privacy failings, nor does it require the company to provide any recourse to affected users, despite “widespread opposition” to the proposed settlement. Chopra argues the FTC “[r]ush[ed] to a final approval of [the] settlement,” and urges the FTC to “think beyond its status quo approach of simply requiring more paperwork, rather than real accountability relying on a thorough investigation.”