The Federal Trade Commission will require security camera firm Verkada to develop and implement a comprehensive information security program to settle allegations the company failed to use appropriate information security practices, which allowed a hacker to access customers’ security cameras.
Under a proposed order, which must be approved by a federal judge before it can go into effect, Verkada will also be required to pay a $2.95 million monetary penalty to settle allegations the company inundated prospective customers with commercial emails in violation of the CAN-SPAM Act, the largest penalty obtained by the FTC for a CAN-SPAM violation.
A complaint filed by the Department of Justice (DOJ) upon notification and referral from the FTC, alleged that Verkada failed to use appropriate information security practices to protect consumers’ personal information, which allowed a hacker to access internet-connected security cameras and view patients in psychiatric hospitals and women’s health clinics. The complaint also charged that Verkada was aware that employees and a venture capital investor posted positive ratings and reviews of Verkada and its products but failed to disclose their association or current employment status with Verkada.
The complaint also alleged that Verkada violated the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing) by flooding prospective customers with a barrage of commercial emails and failing to include the option to unsubscribe or opt-out, honor opt-out requests, and provide a physical postal address in the emails.
“When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies that fail to secure and protect consumer data can expect to be held responsible.”
“This settlement underscores the importance of robust data security measures, especially for companies that are themselves in the security industry. Failure to protect sensitive information puts consumers at risk,” said Brian M. Boynton, Principal Deputy Assistant Attorney General of the Department of Justice’s Civil Division. “We will continue to work with the FTC to hold companies accountable for such violations.”
California-based Verkada sells IP-enabled security cameras and other physical security offerings to thousands of customers, both in the United States and overseas, including those that operate from sensitive. In its privacy policy, press releases, blog posts and other materials, Verkada claimed it takes data security and customer privacy seriously. For example, in its privacy policy in 2018, the company claimed it uses “best-in-class data security tools and best practices to keep your data safe and protect the Verkada Products from unauthorized access.”
The complaint alleges that despite such claims, Verkada failed to provide appropriate security measures to protect the personal information it collects, which includes sensitive video footage from its security cameras as well as data about customer accounts such as names, email addresses, passwords and site floorplans. For example, the company failed to require unique and complex passwords, adequately encrypt customer data, and implement secure network controls.
As a result of these security failures, the complaint alleges, the company experienced at least two security breaches between December 2020 and March 2021. In the March 2021 breach, a hacker accessed video footage from over 150,000 internet-connected Verkada cameras as well as other customer information, such as physical addresses, audio recordings, and customer WiFi credentials.
Additionally, Verkada misled consumers with respect to its compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the EU-U.S. Privacy Shield framework, and the Swiss-U.S. Privacy Shield framework. According to the complaint, Verkada’s security practices were not compliant with either HIPAA or either Privacy Shield framework.
The complaint further alleges that Verkada also misled consumers by failing to disclose that certain online consumer ratings and reviews of its camera products were written by Verkada employees and a venture capital investor, according to the complaint. For example, a venture capitalist who invested in Verkada posted a five-star rating and positive review on Google Maps.
Lastly, the complaint alleges that Verkada violated the CAN-SPAM Act in several ways. According to the complaint, Verkada relied on commercial email campaigns to help market its products, sending more than 30 million commercial emails over a three-year period. Verkada’s commercial emails violated the CAN-SPAM Act in four ways, including not honoring email recipients’ requests to unsubscribe.
In addition to the monetary penalty, the proposed order also will prohibit the company from making misrepresentations about Verkada’s privacy and data security practices and require it to implement a comprehensive information security program with third-party audits. The proposed order also will prohibit Verkada from violating the CAN-SPAM Act.
The Commission voted 5-0 to refer the complaint and stipulated order to DOJ. The DOJ filed the complaint and stipulated order in the U.S. District Court for the Northern District California. Commissioner Melissa Holyoak issued a separate concurring statement.
NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated orders have the force of law when approved and signed by the District Court judge.
The lead staff attorneys on this matter are Jacqueline Ford and Kamay Lafalaise from the FTC’s Bureau of Consumer Protection.