FTC fines Verkada for $2.9M for violating CAN-SPAM Act, requires additional security practices
The Federal Trade Commission hit security camera firm Verkada with a $2.9 million fine Friday and is requiring the company to implement an information security program to settle allegations the company failed to use appropriate information security practices and allowed a hacker to access customers’ security cameras.
Under a proposed order, which must be approved by a federal judge before it can go into effect, Verkada will also be required to pay a $2.95 million monetary penalty to settle allegations the company “inundated prospective customers with commercial emails in violation of the CAN-SPAM Act,” which the FTC said is the largest penalty obtained by the FTC for a CAN-SPAM violation.
In lengthy statement issued Friday, San Mateo, Calif.-based Verkada said the settlement related to the FTC’s probe of a March 2021 data security incident and, separately, some of our e-mail marketing practices between 2019-2021.
“There was no fine imposed related to the security incident, but we have agreed to pay $2.95 million to resolve the FTC’s claims about our past email marketing practices,” Verkada said. “We do not agree with the FTC's allegations, but we have accepted the terms of this settlement so that we can move forward with our mission and focus on protecting people and places in a privacy-sensitive way.”
The DOJ complaint alleged that Verkada failed to use appropriate information security practices to protect consumers’ personal information, which allowed a hacker to access internet-connected security cameras and view patients in psychiatric hospitals and women’s health clinics.
The complaint also charged that Verkada was aware that employees and a venture capital investor posted positive ratings and reviews of Verkada and its products but failed to disclose their association or current employment status with Verkada.
The complaint also alleged Verkada violated the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing) by flooding prospective customers with a barrage of commercial emails and failing to include the option to unsubscribe or opt-out, honor opt-out requests and provide a physical postal address in the emails.
“When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies that fail to secure and protect consumer data can expect to be held responsible.”
“This settlement underscores the importance of robust data security measures, especially for companies that are themselves in the security industry. Failure to protect sensitive information puts consumers at risk,” said Brian M. Boynton, Principal Deputy Assistant Attorney General of the Department of Justice’s Civil Division. “We will continue to work with the FTC to hold companies accountable for such violations.”
The DOJ said Verkada, in its privacy policy, press releases, blog posts and other materials, claimed it takes data security and customer privacy seriously: for example, in its privacy policy in 2018 claiming it used, “best-in-class data security tools and best practices to keep your data safe and protect the Verkada Products from unauthorized access.”
The complaint alleged that despite such claims, Verkada failed to provide appropriate security measures to protect the personal information it collects, which includes sensitive video footage from its security cameras as well as data about customer accounts such as names, email addresses, passwords and site floorplans.
For example, the company failed to require unique and complex passwords, adequately encrypt customer data, and implement secure network controls, the government said.
As a result of these security failures, the complaint alleges, the company experienced at least two security breaches between December 2020 and March 2021. In the March 2021 breach, a hacker accessed video footage from over 150,000 internet-connected Verkada cameras as well as other customer information, such as physical addresses, audio recordings, and customer WiFi credentials.
Verkada disputes this claim in part, saying Friday the hacker had access to 150,000 cameras but only accessed 97 cameras.
Additionally, the government alleged, Verkada “misled” consumers with respect to its compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the EU-U.S. Privacy Shield framework, and the Swiss-U.S. Privacy Shield framework. According to the complaint, Verkada’s security practices were not compliant with either HIPAA or either Privacy Shield framework.
The complaint further alleges that Verkada also misled consumers by failing to disclose that certain online consumer ratings and reviews of its camera products were written by Verkada employees and a venture capital investor, according to the complaint. For example, a venture capitalist who invested in Verkada posted a five-star rating and positive review on Google Maps.
Lastly, the complaint alleges that Verkada violated the CAN-SPAM Act in several ways. According to the complaint, Verkada relied on commercial email campaigns to help market its products, sending more than 30 million commercial emails over a three-year period. Verkada’s commercial emails violated the CAN-SPAM Act in four ways, including not honoring email recipients’ requests to unsubscribe.
In addition to the monetary penalty, the proposed order also will prohibit the company from making misrepresentations about Verkada’s privacy and data security practices and require it to implement a comprehensive information security program with third-party audits. The proposed order also will prohibit Verkada from violating the CAN-SPAM Act.
The Commission voted 5-0 to refer the complaint and stipulated order to DOJ. The DOJ filed the complaint and stipulated order in the U.S. District Courtfor the Northern District California.Commissioner Melissa Holyoak issued a separate concurring statement.
Verkada acknowledged Friday the 2021 attack that compromised its platform, which affected 6,000 customers (more info here). “In response, we immediately investigated and contained the incident,” the company responded. “We curtailed the attacker’s access within two hours of discovery and notified customers that same day.
“We then began immediate work to strengthen our safeguards and partnered with the best of the best to help us – including leading cybersecurity specialists from Mandiant and The Chertoff Group, led by the former Secretary of Homeland Security Michael Chertoff.
Verkada said it’s continuing to prioritize strengthening its data security posture, achieving SOC 2 Type 1 compliance and SOC 2 Type 2 compliance in 2022. This year the company obtained certifications for ISO 27001, ISO 27017, and 27018.
“On top of all this, pursuant to today’s settlement, we have now also agreed to adopt the FTC’s information security program protocols, subject to biennial reviews by a third-party assessor. “
As for the marketing practices, “the FTC claims that we did not follow certain CAN-SPAM Act requirements (such as the requisite language in email footers and certain opt-out protocols). We disagree with their allegations, but more importantly, we overhauled our CAN-SPAM compliance starting in 2019.
“We’ve acquired tools and platforms to better facilitate CAN-SPAM compliance, made it easier to opt out from our promotional emails by establishing a dedicated webpage where customers can control their email preferences, mandated use of a standardized email footer that always includes a physical address and a link to the webpage, and adopted more robust policies and training. We continue to prioritize these efforts.”
In addressing the reviews on Verkada’s Google Maps profile that were posted by people affiliated with Verkada (such as employees) without disclosing their affiliation, the company said it has since redoubled efforts, “to ensure employees and others understand that they are welcome to post their views about Verkada’s products and services, but they must clearly disclose their relationship to Verkada if they do.”
Verkada said more can learned about its commitment to data security and customer privacy at www.verkada.com/trust.