On August 30, 2024, the Federal Trade Commission announced that the Department of Justice filed a complaint upon notification and referral from the FTC against a surveillance camera company that allegedly failed to provide reasonable security for the personal information it collected—including 150,000 live camera feeds in sensitive areas like psychiatric hospitals, women’s health clinics, elementary schools and prison cells.

According to the complaint, these alleged failures allowed a threat actor - in March 2021 - to remotely access the company’s customer camera feeds and watch consumers live, without their knowledge or consent. Despite the purported invasive security breach, the company allegedly remained unaware of the threat actor’s exploration until the threat actor self-reported the hack to the media.

According to FTC lawyers, the vast majority of the company’s customers throughout the U.S. and abroad include small businesses spanning multiple industries, including education, government, healthcare, and hospitality. The FTC says that the compromise went beyond the company’s security cameras. According to the complaint, the threat actor also exfiltrated data about the company’s own customers, mostly businesses, including, but not limited to, names, email addresses, physical addresses, usernames and password hashes, and geolocation data for security cameras.

The company’s alleged security failures “are in stark contrast to its many public promises to keep personal and customer information safe,” according to the FTC.

According to the complaint, the company’s own privacy policy claimed that the company “take[s] customer privacy seriously,” and “[w]e will use best-in-class data security tools and best practices to keep your data safe and protect [the company’s] products from unauthorized access.”

The FTC also states that the company’s publicly promised that it was HIPAA certified or compliant and that it followed the EU-U.S. and Swiss-U.S. Privacy Shield principles. The FTC’s complaint alleges that all these representations were deceptive.

The complaint also alleges that the company misrepresented that online consumer ratings and reviews of the company and its products reflected the experiences or opinions of ordinary, impartial customers. The FTC says that company employees submitted five-star reviews and ratings.

Additionally, the complaint alleges that the company’s email marketing practices violated the CAN-SPAM Act. For example, according to the FTC, in 2021 the company sent over 22 million marketing emails to prospective customers but purportedly failed to honor “unsubscribe” requests on numerous occasions, did not include a valid physical postal address in its marketing emails, and did not provide a clear and conspicuous “opt-out” notice in its commercial emails.

According to the FTC, to settle the matter the company has agreed to a proposed order that prohibits the company from: (i) misrepresenting its privacy and security practices, (ii) misrepresenting its compliance with HIPAA and Privacy Shield, (iii) misrepresenting the status of any person leaving online reviews or ratings about the company, and (iv) violating the CAN-SPAM Act.

“When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which [the company] failed to do,” said FTC lawyer Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies that fail to secure and protect consumer data can expect to be held responsible.”

“This settlement underscores the importance of robust data security measures, especially for companies that are themselves in the security industry. Failure to protect sensitive information puts consumers at risk,” said Brian M. Boynton, Principal Deputy Assistant Attorney General of the Department of Justice’s Civil Division. “We will continue to work with the FTC to hold companies accountable for such violations.”

The proposed order will also require the company to implement an information security program, including encryption of information and multi-factor authentication to access such information. This information security program will be subject to outside assessments.

With respect to the company’s alleged CAN-SPAM Act violations, the company will pay a civil penalty of $2.95 million to settle allegations that its aggressive marketing tactics violated the law.

Takeaway: Marketers should consult with an experienced FTC CID lawyer to review their data security practices and compare them to examples with the company’s practices were allegedly deficient. For example, the FTC charged that the company failed to implement unique and complex passwords and lacked appropriate alerts and monitoring for unauthorized attempts to transfer personal and customer information. Ensure that what you are saying about your data security practices are truthful. Additionally, the recent rule banning fake reviews and testimonials has sent a clear message to companies about fake online reviews and ratings. Marketers cannot mislead consumers by pretending to be a customer and leaving a glowing review of your own business’s product or service online. Employees, contractors, investors or anyone associated with your company must clearly disclose their relationship if making an online endorsement. Lastly, read the FTC’s CAN-SPAM Act: A Compliance Guide for Business. This guide outlines helpful compliance tips, such as honoring email recipient opt-out requests in a timely manner and including your business address in your email marketing messages.