On August 30, the Federal Trade Commission (FTC) entered into a proposed settlement order with cloud-based physical security solutions provider, Verkada Inc. (“Verkada”), settling allegations of data security violations and mandating a record monetary payment (of $2.95 million) to remedy separate allegations of unlawful email marketing practices in violation of the CAN-SPAM Act. The agency’s case against Verkada stemmed from the business’s alleged failure to use appropriate information security practices, which the agency claimed allowed a hacker to access customers’ security cameras and sensitive personal information about consumers, as a result. This action also alleged that Verkada misrepresented its security practices, as well as its compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) rules and with Privacy Shield.
This settlement is notable for a few reasons. First, it shows that – while the FTC is focused on creating new substantive security and privacy obligations for entities through its ability to enforce “unfair” violations under Section 5 of the FTC Act – it is still looking to enforce the older privacy laws that fall within its jurisdiction (such as CAN-SPAM). The FTC is also actively looking to bring enforcement actions against companies where an alleged privacy or security violation leads to the potential compromise of sensitive data. Finally, the agency still cares about the representations company’s make about their security compliance, especially if those representations relate to compliance with a formal security program (such as the security requirements mandated by HIPAA). It is also notable for companies that the FTC is continuing to enforce historic compliance efforts with Privacy Shield, even though the program has been replaced by the Data Privacy Framework.
In this article, we summarize the agency’s complaint and order against Verkada and identify key takeaways from the decision.
I. Summary of the Complaint
Verkada is a developer of physical security solutions that include video security cameras, door locks, and panic buttons, among other products, as well as a cloud-based software platform to manage them. The company sells these solutions to over 26,000 organizations today, including office buildings, warehouses, retail stores, healthcare facilities, and schools. Some of Verkada’s customers deploy the products in sensitive areas that implicate privacy concerns (such as schools and psychiatric hospitals).
In its complaint, the FTC alleged Verkada engaged in (i) multiple data security practices and failures that resulted in repeated risk of consumer data exposure and led to cybersecurity intrusions. The agency also charged Verkada with engaging in other deceptive and unfair practices including (ii) misrepresenting its security practices to consumers, (iii) misrepresenting alleged HIPAA certification and Privacy Shield compliance, (iv) failing to disclose the association or employment relationship of certain individuals who posted positive ratings and reviews about Verkada and its products online, and (v) failing to include provide consumers with an option to unsubscribe or opt-out, honor opt-out requests, and provide a physical postal address in emails.
The FTC explained the following was considered to be an unfair or deceptive practices in violation of Section 5 of the FTC Act:
Failure to Safeguard Personal Information
The FTC asserted that Verkada failed to safeguard customers’ and consumers’ personal information collected through the company’s security cameras. Specifically, the agency claimed that Verkada failed to impose reasonable access management controls including strong password authentication, role-based access controls, and issue alerts for activities such as incorrect logins to administrative accounts or removal of privileges for accounts. In addition, according to the complaint, the company failed to establish data loss protection or perform data discovery and categorization for all sensitive personal information or regular assessments to determine the effectiveness of protection measures. Verkada also allegedly had no centralized logging and alerting capabilities, nor did it conduct regular risk assessments, vulnerability scans, or penetration testing of its networks and databases. Lastly, the FTC’s complaint asserted that the company failed to assess or enforce compliance of its written information security standards and policies. According to the FTC, these combined failures allowed an unauthorized actor to hack into Verkada’s platform in March 2021, gaining access to security camera footage a limited number of customers.
The agency sought redress for what it claimed was a substantial injury to consumers in the form of exposure of their personal information and by the invasion of their privacy, especially for those in sensitive settings such as hospital rooms and schools.
Security Misrepresentations
The agency scrutinized Verkada’s representations about its information security practices and considered them to be false and misleading. In a 2018 press release, Verkada reassured customers of the strength of its security products, stating “Verkada offers a range of benefits, including stronger data security…” The complaint also referenced the company’s webpage, which made numerous claims regarding information security practices.
According to the FTC, Verkada made multiple misleading statements such as “Verkada devices are compliant against some of the strictest data handling and security standards in the world” and Verkada was “[f]ully HIPAA compliant” (when, in fact, Verkada’s products were not).
The FTC’s complaint also found issues with Verkada’s representation that it was Privacy Shield certified. Though no longer in effect as a valid data transfer mechanism for personal data from the EU to the US, companies that were previously registered under Privacy Shield are still responsible for the promises they made at the time related to their certification. In this case, the FTC was focused on this specific Privacy Shield principle:
“SECURITY [Principle 4]: (a) Organizations creating, maintaining, using, or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.”
The agency contended that Verkada made multiple false statements, including written statements that Verkada achieved the Privacy Shield certification on its web page as of December 2022.
False and Misleading Online Reviews
According to the complaint, individuals associated with Verkada wrote online reviews on the company’s Google Maps profile without disclosing their relationship to the company. The agency claimed that Verkada was aware of these reviews and that they omitted the reviewers’ ties to the company (including a venture capital investor of Verkada). The FTC’s complaint further asserted that Verkada had encouraged some employees to post these reviews.
CAN-SPAM Violations
The complaint further alleges that Verkada failed to honor opt-out requests, provide notice of opt-out requests or a valid physical postal address in its email marketing communications. At issue is that Verkada’s email marketing campaigns failed to abide by the CAN-SPAM Act, a 2004 law protecting consumers from unfair email marketing tactics. The CAN-SPAM Act also makes it illegal to initiate email marketing without a clear and conspicuous opt-out. The law forces companies to honor opt-out requests within 10-business days after receipt of such a request, which Verkada allegedly failed to do.
II. Stipulated Order
Under the stipulated order, Verkada was required to pay a $2.95 million monetary fine for the alleged CAN-SPAM violations, the highest monetary penalty ever for a CAN-SPAM violation. Verkada also agreed to the following terms in the order:
Permanent Injunction of Data Security Practices
A prohibition against misrepresentations concerning privacy, security, confidentiality of consumer data, compliance programs including HIPAA compliance, independence of endorser or reviewers of a business product or service.
A Requirement to Implement a Comprehensive Privacy Program
Following the trend in other recent FTC orders, Verkada is required to develop and implement a comprehensive information security program with biennial third-party oversight for 20 years. To safeguard personal information and customer information, the program must be documented in writing, provided to the board of directors or equivalent governing body, and overseen by a designated qualified employee. Independent third-party assessors will annually review the program’s effectiveness. Furthermore, material program evaluations or updates are required within 30 days of a covered incident. A covered incident occurs when information of or about an individual consumer was, or is reasonably believed to have been, accessed, acquired, or publicly exposed without authorization. After a covered incident, Verkada will submit a report to the Federal Trade Commission within 10 days.
The order also requires all employees to complete annual mandatory training on how to safeguard personal information and customer information. Verkada will be required to implement controls monitoring its networks to identify and respond to anomalous activity and unauthorized attempts to access or exfiltrate personal information and customer data. Verkada has agreed to provide the agency with annual updates of its satisfaction with the order requirements for 20 years.
Enjoined from Unlawful Commercial Email Practices
Finally, the order prohibits Verkada from violating Section 5 of the CAN-SPAM Act, or otherwise not complying with the requirements to provide a physical post address, provide a notice for consumers to decline to receive email messages, and honor email opt-out requests in connection with email marketing or advertising.
III. Key Takeaways
1. The FTC continues to enforce data security violations.
While many of the FTC’s recent enforcement actions have focused on “privacy” violations (e.g., the disclosure of sensitive data to third parties for advertising purposes), this decision shows that the FTC isn’t turning a blind eye to security violations, especially if the inadequate security leads to a data breach. Companies should pay attention to recent FTC settlement orders regarding data security and assess whether their practices live up to the FTC’s expectations, as well as to the promises they are making to consumers about their security. This latter point is especially important if a company is claiming to adhere to a specific security standard, such as the HIPAA Security Rule.
2. The FTC will continue to focus its enforcement actions where a company’s data practices potentially lead to the compromise of sensitive data.
It is no coincidence that the FTC targeted a company that provides products with access to personal information from privacy-sensitive facilities, such as psychiatric hospitals and women’s health clinics. Through this order, the FTC adds insight into what the agency considers to be sensitive information that merits heightened protection. According to the agreed to information security program requirements, the appropriate level of data protection should be based on “the volume and sensitivity of the data at risk.” In this case, the FTC contends allowing a hacker to access internet-connected security cameras and view patients in psychiatric hospitals and women’s health clinics evidenced a failure to safeguard particularly sensitive information.
3. CAN-SPAM still matters.
This is the FTC’s third CAN-SPAM related enforcement action or lawsuit in the last two years. While the agency hasn’t historically focused its attention on the law, this recent trend may indicate that this is becoming an area of focus for the agency. Companies should closely review their email marketing practices in light of these actions.
4. Privacy Shield also (still) matters.
Privacy Shield being replaced by the Data Privacy Framework isn’t stopping the FTC from enforcing the historical promises companies made under the old data transfer framework. Companies should keep this in mind as a potential enforcement risk.
