Eighteen months ago, “Zooming” became a verb. Not long after that, “Zoombombing” became part of the English language, and now Zoom is paying the price. Zoom, a video conferencing platform that became a part of daily life when the pandemic hit, has settled a class action privacy lawsuit for $85 million, stemming from the Zoombombing attacks, reports The New York Times.
In addition to the hefty price tag, Zoom has agreed to improve its security protocols to protect the privacy of the platform’s users. This includes providing privacy and data handling training to their employees, notifying users when meeting participants use third-party apps during meetings, improve privacy disclosures and more closely safeguard personal data of their users.
14 lawsuits combined into 1
The class action privacy lawsuit, which combined 14 class action cases into one, was filed in the U.S. District for the Northern District of California in March 2020. The lawsuit alleged that, due to lax security practices, the privacy of Zoom users was jeopardized and personal data was shared. Hackers were able to interrupt online meetings through the screensharing feature to share inappropriate and offensive messages and images.
The lawsuit also said that Zoom shared personal user data with third-party services like Facebook, Google and LinkedIn and told users that their data was safe because of Zoom’s end-to-end encryption.
After the settlement is approved by U.S. District Judge Lucy Koh in San Jose, California, Zoom subscribers will be eligible to receive a 15% refund on their primary subscriptions, or $25, whichever is larger. Other users may be eligible for a refund of as much as $15. CNN reports that paid subscribers who were part of the class action lawsuit paid approximately $1.3 billion to Zoom in subscription fees.
Though the company denied they did anything wrong, they issued a statement citing their concern for Zoom user privacy and security.
“The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us. We are proud of the advancements we have made to our platform and look forward to continuing to innovate with privacy and security at the forefront,” Zoom said.
In March 2021, Zoom filed a motion to dismiss the class action privacy lawsuit. Though part of the claim was dismissed (allegations of invasion of privacy and negligence) by Judge Koh, other claims, including those related to contracts, remained in play.
New security and privacy measures
Since the lawsuit was filed, Zoom has taken a number of security measures to improve Zoom, starting with a 90-day security plan in spring 2020 that set key milestones and measures to increase protection of users and data privacy. The changes included “robust security enhancements” in the release of Zoom 5.0, AES 256-bit GCM encryption, and a number of upgrades to user experience and controls.
“I am proud to reach this step in our 90-day plan, but this is just the beginning. We built our business by delivering happiness to our customers. We will earn our customers’ trust and deliver them happiness with our unwavering focus on providing the most secure platform,” said Eric S. Yuan, CEO of Zoom, in an April 22, 2020 news release.
In June 2020, Zoom hired Jason Lee as chief information security officer. Formerly the senior VP of security operations at Salesforce, Lee’s role is to put user security and privacy first.
“Our customers’ security is extremely important and is at the core of everything we do. We are excited to welcome Jason, who has deep industry experience, understands the complexity of servicing a wide variety of users, and can lead Zoom’s efforts to strengthen the security of our platform during this time of rapid expansion,” said Aparna Bawa, Zoom’s chief operating officer.
In October 2020, Zoom announced its new end-to-end encryption (E2EE) and its availability to free and paid users for meetings with up to 200 participants.
“We’re very proud to bring Zoom’s new end-to-end encryption to Zoom users globally today,” said Zoom CISO Jason Lee. “This has been a highly requested feature from our customers, and we’re excited to make this a reality. Kudos to our encryption team who joined us from Keybase in May and developed this impressive security feature within just six months.”
When the need for video conferencing skyrocketed at the beginning of the pandemic, no one could have predicted how desperately such services would be needed or the growth that was possible over the next 18 months. Unfortunately, it also created security loopholes for hackers with time on their hands and their own agendas. Zoom is going to pay a hefty price to settle the class action privacy lawsuit – about 10% of total revenue for the fourth quarter of 2020 – for it, but they learned some important lessons along the way. Ultimately, their products and services, and their customers, will benefit.