By Allison Grande

Law360 (May 7, 2020, 10:24 PM EDT) --

Jonathan "Josh" Kallmer

Zoom has agreed to enhance its security and privacy protections to resolve a probe by New York's attorney general into issues exposed by the video conferencing service's skyrocketing popularity amid the coronavirus pandemic, the regulator announced Thursday, a day after the company tapped an ex-Crowell & Moring LLP attorney and a former national security adviser to fill a pair of key roles.

New York Attorney General Letitia James opened an investigation into Zoom Video Communications Inc.'s privacy and security practices in March, shortly after people began flocking to the service as the spread of COVID-19 forced businesses, schools and most social interactions to move online. The demand increased both the volume and sensitivity of data passing through Zoom's networks, exposing security flaws and vulnerabilities in the company's platform and software as well as a lack of privacy protections, according to the attorney general.

The probe came to an end Thursday, when James announced that she had reached an agreement with Zoom that requires the company to implement new security and privacy measures to protect consumers, students, workers, governments and religious institutions. These changes include establishing a comprehensive data security program that will be designed and run by the company's head of security, encrypting users' information both in storage and transit, allowing those with free accounts to have more control over who can access their meetings, and taking steps to stop its sharing of user data with Facebook Inc. and LinkedIn Corp.

"Our lives have inexorably changed over the past two months, and while Zoom has provided an invaluable service, it unacceptably did so without critical security protections," James said in a statement. "This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don't have to worry while participating in a video call."

Zoom said in a statement Thursday that it was pleased to have reached a resolution with the attorney general, "which recognizes the substantial work that Zoom has completed as part of our 90-day security and privacy plan, including making a number of our pre-existing security features on by default and also introducing new security enhancements."

"We are grateful for the New York Attorney General's engagement on these important issues and are glad to have reached this resolution so quickly," the company added. 

In an apparently related announcement Thursday, Zoom disclosed that it had acquired secure messaging and file-sharing service Keybase for an undisclosed sum. Zoom said the acquisition would help "accelerate" its plan "to build end-to-end encryption that can reach current Zoom scalability," an objective that appears to align with its commitment to the New York attorney general's agreement to enhance its encryption protocols by encrypting users' information, both in transit and as stored online on its cloud servers.

Other notable changes that Zoom agreed to in its deal with New York include pledges to conduct risk assessment and software code reviews to ensure that its software doesn't have vulnerabilities that would allow hackers to exploit users' information; to perform "the most thorough form" of penetration testing each year; and to take steps to ensure that meeting hosts can report users engaging in abusive conduct and that those instances are properly investigated. Zoom also insisted that it has disabled its LinkedIn Navigator feature, which supposedly shared profiles with users even when the user wanted to stay anonymous, the attorney general said.

The issues raised by Zoom's rapid rise to prominence have grabbed the attention of not only James but also other regulators, policymakers, consumer advocates and class action plaintiffs across the country. The company is facing lawsuits from both users and shareholders targeting suspected security vulnerabilities, including gaps that allow uninvited guests to interrupt, or "Zoombomb," conversations, as well as allegedly unauthorized sharing of user data with Facebook and LinkedIn.

Citing these concerns, New York City public schools announced a ban last month on its more than 1.1 million students and their teachers using the service for distance learning. But the New York City Department of Education reversed course on Wednesday, announcing that schools could resume using Zoom after the department reached its own agreement with the company to implement further privacy and security protections that meet the DOE's "high standards."

However, the department said on its website that students and educators "cannot simply use Zoom as you did before" but instead must use the new DOE-licensed version of Zoom created through the agreement. This iteration contains several changes, including blocking students from taking control of the screen or renaming themselves, and giving teachers hosting the meeting the sole ability to enable screen sharing or mute fellow participants, according to the DOE.

"The security of our students and staff is paramount, and we've worked with Zoom to create a tailored platform that provides the safety and functionality schools need to engage in remote learning," Schools Chancellor Richard A. Carranza said in a statement. "I'm happy that Zoom has addressed vulnerabilities over the last few weeks, and effective immediately, our community can safely use the Department of Education-licensed Zoom account for remote learning."

Since the coronavirus pandemic thrust Zoom into the national spotlight, the company — which has noted that its platform was originally designed for enterprise use and not for the surge of personal use it's recently experienced — has stressed that it's "working around-the-clock" on privacy and security issues and has announced several changes to address these concerns.

These include its Wednesday announcement that it had appointed former national security adviser H.R. McMaster as an independent director on its board of directors, and had hired Josh Kallmer, former counsel at Crowell & Moring LLP, to serve as head of global public policy and government relations.

McMaster, who assumed his position Wednesday and is also a fellow and lecturer at Stanford University, worked in the Trump administration as national security adviser from February 2017 to April 2018 and served as a commissioned officer in the U.S. Army for 34 years before retiring as a lieutenant general in June 2018, according to Zoom.

"Zoom does significant good for our society, allowing people to connect and collaborate face-to-face from anywhere," McMaster said in a statement Wednesday. "My goal is to help the company navigate rapid growth and assist in meeting Zoom's commitment to becoming the world's most secure video communications platform."

Kallmer, who will start leading the company's government relations and public policy efforts around the world on May 26, most recently worked as executive vice president for policy at the Information Technology Industry Council. Before joining ITI, he acted as counsel at Crowell & Moring from 2012 to 2015 and before that served as deputy assistant U.S. trade representative for investment in the Office of the U.S. Trade Representative.

"Zoom is an incredibly innovative company with a world-class team and culture," Kallmer said Wednesday. "I'm excited to join this team that shares my policy priorities of communicating honestly, building trust, and developing understanding of innovation and technology in governments around the world."

Zoom was represented in the New York matter by Travis LeBlanc of Cooley LLP.

New York was represented by Noah Stein, Nathaniel Kosslyn, Joe Graham, Clark Russell and Kim Berger of the state Bureau of Internet and Technology.

--Editing by Adam LoBelia.

This article has been updated to add a comment from Zoom about its agreement with the New York attorney general. 

For a reprint of this article, please contact reprints@law360.com.