During our “Ask Me Anything” webinar hosted by Zoom CEO, Eric S. Yuan, we provided an update on our progress since our last executive session on Oct. 20, 2021.
Eric was joined on the webinar by Richard Farley, Deputy Chief Information Security Officer; Lynn Haaland, Chief Compliance, Ethics & Privacy Officer; Glory Francke, Senior Privacy Counsel; Ashish (Ash) Hiranandani, Head of Trust & Safety Security Engineering; Jill Eisenhart, Trust & Safety Manager; and Jon Czerwinski, Trust & Safety Analyst.
If you missed this month’s session, you can watch the recording here:
Zoom Learning Center
2:05-4:55: Eric kicked things off by highlighting the exciting launch of the Zoom Learning Center in December 2021. The Learning Center helps our users discover how to use Zoom’s communications platform in a secure and confident manner, with a robust library of short, on-demand courses covering a range of topics for each of our products. Users can collect certificates and badges upon completing the lessons — one of our main courses is called “Zoom Security Basics,” which walks you through the safety features that are available to help protect participants in a Zoom meeting. With this free course, you can learn about important Zoom security features and how to host safer meetings in just ten minutes.
Certifications and the Trust Center
4:56-9:04: Richard spoke to the recent additions to our list of third-party certifications and attestations. These include:
- International Organization for Standardization / International Electrotechnical Commission (ISO/IEC) 27001:2013
- Expanded scope of our existing SOC 2 Type II report to include additional criteria to meet Health Information Trust Alliance Common Security Framework (HITRUST) control requirements
- Common Criteria Evaluation Assurance Level 2 issued by the German Federal Office for Information Security
- U.K. Cyber Essentials Plus
Zoom Trust Center updates
Richard also shared some updates to our Zoom Trust Center, a one-stop shop for everything users need to know about Zoom compliance, privacy, trust & safety, and security. We recently updated our certifications to reflect the updates noted above, as well as published a variety of new reports and white papers. We are also planning to launch a new self-service login portal on the Zoom Trust Center in the first half of 2022.
SURF Data Protection Impact Assessment (DPIA)
9:05-20:05: Glory and Lynn discussed the publication of a Data Protection Impact Assessment (DPIA) on Zoom’s Meetings, Webinar, and Chat services published by SURF, which stands for “Samenwerkende Universitaire Reken Faciliteiten” in Dutch or “Co-operative University Computing Facilities” in English. They provided a few key details on the DPIA publication process:
- The DPIA is a detailed technical and legal report analyzing how a company processes (or uses) personal data, finds any risks associated with that processing, and provides recommendations on the best ways to keep privacy risk at a minimum. A DPIA is how institutions show they did the due diligence required by the General Data Protection Regulation (GDPR).
- SURF, an association representing higher education and research institutions in the Netherlands, spent many hours meeting with us to help us understand their needs and build out a DPIA.
- The DPIA recognizes the enhancements we have made to our platform. As a result, SURF has advised organizations to implement several recommended measures themselves, and to conclude new data processing agreements with Zoom. It then advises users that they can use Zoom for highly confidential communications.
- As part of our agreement with SURF, Zoom is committed to developing new privacy features, improving transparency and documentation, enhancing Zoom’s data protection practices, and more.
Check out our blog for more information on our cooperation with SURF on the DPIA.
Account takeover security features
20:06-21:55: Ash spoke to new features designed to help keep Zoom users’ accounts safe. These new features include:
- One-time password (OTP): When Zoom detects a suspicious login, this feature asks users to enter an OTP that is sent to their email.
- Account Theft Protection (ATP): This feature helps identify users whose login credentials may have been stolen or compromised in a data breach elsewhere on the internet, so that these compromised credentials could not be used to access a customer’s Zoom account. Whenever we have determined that a Zoom user’s login and password may have been compromised on another service, we will send them a notification and prompt them to reset their password within one day.
Meeting security and reporting abusive behavior
21:56-29:25: Jill and Jon walked us through the Trust & Safety team’s comprehensive approach to combating abuse on the Zoom platform. Jon provided a robust list of meeting security tips, all of which you can find in this blog. You can test your knowledge on these recommendations by taking the Zoom Security Basics course on the Learning Center as well.
29:26-35:04: For the Q&A session, the panel fielded relevant questions from the audience. From updating your Zoom client to additional details on the DPIA and GDPR compliance, the questions prompted a lively discussion from the entire panel.
Whether you attended this month’s session live or watched after the fact, thank you for your interest in learning about the latest in Zoom security and privacy. We’re continually evolving our efforts to help make the Zoom experience seamless, safe, and secure for every user.