Imagine being in a hospital and suddenly feeling like you’re being watched—but not by hospital staff. According to a complaint filed by the Department of Justice upon notification and referral from the FTC, surveillance camera company Verkada Inc. failed to provide reasonable security for the personal information it collected—including 150,000 live camera feeds in sensitive areas like psychiatric hospitals, women’s health clinics, elementary schools, and prison cells.
These failures allowed a threat actor, in March 2021, to remotely access Verkada’s customer camera feeds and watch consumers live, without their knowledge or consent. Despite the invasive security breach, Verkada remained unaware of the threat actor’s intrusive exploration until the threat actor self-reported the hack to the media.
The vast majority of Verkada’s customers throughout the U.S. and abroad include small businesses spanning multiple industries, including education, government, healthcare, and hospitality. Given the company’s extensive reach, odds are you’ve been captured by one of Verkada’s security cameras and not even know it.
But the FTC says the compromise went beyond Verkada’s security cameras. According to the complaint, the threat actor also exfiltrated data about Verkada’s own customers, mostly businesses, including: names, email addresses, physical addresses, usernames and password hashes, geolocation data for security cameras…and the list goes on.
Verkada’s security failures are in stark contrast to its many public promises to keep personal and customer information safe. According to the complaint, Verkada’s own privacy policy claimed “[a]t Verkada, we take customer privacy seriously,” and “[w]e will use best-in-class data security tools and best practices to keep your data safe and protect the Verkada Products from unauthorized access.” Also, Verkada publicly promised that it was HIPAA certified or compliant and that it followed the EU-U.S. and Swiss-U.S. Privacy Shield principles. The FTC’s complaint alleges that all these representations were deceptive.
But poor data security is only part of the story. The complaint also claims Verkada misrepresented that online consumer ratings and reviews of the company and its products reflected the experiences or opinions of ordinary, impartial customers. In reality, the FTC says Verkada employees submitted five-star reviews and ratings. In another twist, the complaint also claims Verkada’s email marketing practices violated the CAN-SPAM Act. For instance, in 2021, Verkada sent over 22 million (often unwelcome) marketing emails to prospective customers but failed to honor “unsubscribe” requests on numerous occasions, did not include a valid physical postal address in its marketing emails, and didn’t provide a clear and conspicuous “opt-out” notice in its commercial emails.
To settle the FTC’s case, the company has agreed to a proposed order that prohibits Verkada from: (1) misrepresenting its privacy and security practices, (2) misrepresenting its compliance with HIPAA and Privacy Shield, (3) misrepresenting the status of any person leaving online reviews or ratings about the company, and (4) violating the CAN-SPAM Act. The proposed order will also require Verkada to implement an information security program, including encryption of information and multi-factor authentication to access such information. This information security program will be subject to outside assessments. With respect to Verkada’s CAN-SPAM Act violations, the company will pay a civil penalty of $2.95 million to settle allegations that its aggressive marketing tactics violated the law.
What key points can your company take away from the FTC’s action against Verkada?
Hold up your company’s data security practices next to the Verkada complaint allegations. Notice any similarities? While appropriate data security is very specific to your organization, it is helpful to review examples where Verkada failed to secure the information it maintained. For example, the FTC charged that the company failed to implement unique and complex passwords and lacked appropriate alerts and monitoring for unauthorized attempts to transfer personal and customer information. Once you’ve reviewed your company’s data security practices, go one step further and make sure that what your company is saying about those practices is true.
Don’t fake it until you make it . . . we can tell. Through this law enforcement action and a recent rule banning fake reviews and testimonials, the FTC continues to send a clear message to companies about fake online reviews and ratings: You can’t mislead consumers by pretending to be a customer and leaving a glowing review of your own business’s product or service online. Your employees, contractors, investors, or anyone associated with your company must clearly disclose their relationship if making an online endorsement.
Consider a CAN-SPAM compliance check for your business. If you’ve never heard of the CAN-SPAM Act or it’s been a while since you’ve taken a close look at your email marketing policies, read the FTC’s CAN-SPAM Act: A Compliance Guide for Business. This guide outlines helpful compliance tips, such as honoring email recipient opt-out requests in a timely manner and including your business address in your email marketing messages. Review these tips to make sure your marketing dreams don’t become marketing nightmares.
The FTC's investigation into Verkada raises serious concerns about the company's data security practices. It's crucial for surveillance camera companies to prioritize the protection of sensitive customer data. I'm interested to learn more about the specific vulnerabilities exploited by the hackers and the steps Verkada is taking to address these issues.