The FTC recently approved a final settlement agreement with a multinational teleconferencing platform company over allegations that the company made numerous misrepresentations regarding the strength of the company’s privacy and security measures, including deceptive claims regarding end-to-end video encryption, and secure storage of meeting recordings.
In a complaint lodged on November 9, 2020, it was alleged that the company misled consumers through representations made about the company’s security and privacy measures employed to protect their personal information. Specifically, the company claimed to provide end-to-end encryption for its customers, ensuring that only the sender and recipient of a communication could access its contents. However, communications hosted on the company’s servers were not protected by end-to-end encryption as the company’s server’s maintained cryptographic keys, allowing the company to access the content of any of its customers’ meetings. Further, the company made representations that their platform allowed customers to record and save their teleconference meetings, claiming these recordings would be stored and encrypted once the meeting was over. In fact, it was determined that these recordings were stored, unencrypted, on the company’s servers for two months before eventually being transferred to secure cloud storage, and then being encrypted. Lastly, in 2018 the company updated its application specifically for Mac users in order to deploy a server onto the user’s computer without providing notice or obtaining user consent. The web server would be installed on the user’s computer and operate in the background, thereby circumventing existing third-party security and privacy safeguards.
The Commission received 12 comments regarding the proposed settlement with the company before voting on January 19, 2021 to finalize the settlement. Per the final Order, the company must refrain from future misrepresentations, establish and implement a comprehensive information security program within 60 days of the entry of the Order to protect the integrity of covered consumer information, and this system must be assessed by third-party professionals within the first six months of implementing the security system and then again at two-year intervals following the initial review for the next 20 years. In addition, the company must now file covered incident reports, detailing the specifics of any security incident, and submit such reports to the Commission no more than 10 days after the company notifies any federal, state, or local entity of an incident.