· 2 min readsecuritysoftware

Zoom Settles With New York Over Its Security Promises

NY Attorney General Letitia James reached an agreement with Zoom requiring mandatory passwords, better encryption, and other safeguards after a spring of Zoombombing.

Zoom’s rough spring has produced its first real regulatory consequence. New York Attorney General Letitia James’ office announced yesterday, May 7, that it reached an agreement with Zoom following an investigation into the company’s security and privacy practices. The deal requires Zoom to roll out mandatory passwords, stronger encryption, and a set of other safeguards meant to keep meetings from being hijacked.

If you’ve been anywhere near a video call in the last two months, you know why this happened. “Zoombombing” became a household term almost overnight once the whole world started working, teaching, and socializing over Zoom. Trolls found meetings with guessable or public IDs, no password, and wide-open screen-share permissions, and used them to blast pornography, slurs, and worse into classrooms and business meetings. It was ugly, it was widespread, and it was entirely predictable given how Zoom’s defaults were configured before this year.

What the agreement actually changes

The specifics released so far center on the basics that security people had been begging Zoom to fix for weeks: passwords on by default, better encryption practices, and additional safeguards around meeting access. None of this is exotic. It’s the kind of hardening that should have been standard from the start for a tool that, pre-pandemic, was mostly used for scheduled business calls with known participants rather than open-enrollment classrooms and public events.

What’s notable here isn’t the technical ask so much as the fact that a state AG’s office moved fast enough to land an agreement this quickly. New York has been aggressive about tech privacy enforcement for a while, but a settlement within weeks of a problem going mainstream is fast even by that standard. It signals that regulators are watching how the pandemic-driven surge in remote work tools gets secured, not just how it gets marketed.

Why this matters beyond Zoom

Zoom has already spent the last several weeks in public damage-control mode: freezing feature development to focus on security, rolling out passwords and waiting rooms by default, and bringing on outside security help. This agreement effectively puts some of that into a legally binding framework, at least for meetings involving New York users, rather than leaving it as a set of blog-post promises the company could quietly walk back later.

It’s also a preview of what’s likely coming for every other suddenly-essential remote tool. Video conferencing, virtual classrooms, telehealth platforms — a lot of software that used to serve a narrower, more security-conscious audience is now handling sensitive conversations for millions of people who never thought about meeting IDs or encryption. Regulators clearly aren’t going to wait for a slow news cycle to ask hard questions about that shift.

For everyday users, the practical takeaway hasn’t changed: keep using passwords on your meetings, keep waiting rooms on, and don’t post meeting links publicly. The defaults are getting better, but it’s still worth checking your own settings rather than assuming the platform has it handled.

Related posts

On this day in other years

Latest on Daily Signal

All posts →