On August 30, the U.S. Federal Trade Commission (FTC) announced a settlement agreement with security company Verkada to resolve a lawsuit filed by the U.S. Department of Justice (DOJ). Verkada was accused of failing to implement adequate security measures to protect user data, resulting in data breaches, and violating the CAN-SPAM Act through its email marketing practices.
As part of the settlement, Verkada will pay a $2.95 million civil penalty, implement a comprehensive information security program, refrain from making false statements about privacy and data security, and comply with CAN-SPAM for email marketing.
Case Background
Verkada, a California-based security company, sells security equipment, including surveillance cameras. Between 2019 and 2021, Verkada sold over 240,000 cameras, which were connected to its network platform, collecting data such as IP addresses, camera locations, user names, and video footage.
Verkada experienced at least two data breaches in recent years. In December 2020, hackers exploited security flaws on Verkada servers to install malware and launch cyberattacks. In March 2021, hackers gained admin access and extracted data from over 150,000 cameras, including sensitive footage from hospitals, clinics, and daycare centers.
Following these breaches, the FTC investigated and found multiple violations, leading the DOJ to file a lawsuit in the U.S. District Court for the Northern District of California.
DOJ Allegations
The DOJ accused Verkada of the following:
1. Violations of the Federal Trade Commission Act
Section 5(a) of the FTC Act (15 U.S.C. § 45(a)) prohibits unfair or deceptive acts affecting commerce. The DOJ stated that Verkada’s actions constituted both unfair and deceptive practices:
- Unfair practices: Verkada failed to take reasonable measures to secure user data, leading to unauthorized access. Specific failures included:
- Lack of adequate access control (e.g., least privilege principle, multi-factor authentication);
- Inadequate data protection to prevent loss (e.g., identifying sensitive data, monitoring for data leaks);
- Lack of centralized logging and alert systems;
- Failure to implement vulnerability management standards and perform necessary security testing;
- Insufficient encryption for data storage and transmission;
- Inadequate cybersecurity measures (e.g., firewall configuration, disabling unnecessary ports);
- Lack of appropriate information security policies and employee training.
- Deceptive practices: Verkada misrepresented its security measures and privacy protection practices, falsely claiming compliance with HIPAA, EU-U.S. Privacy Shield, and Swiss-U.S. Privacy Shield.
- Deceptive advertising: Verkada used positive reviews from employees and investors to promote its products, without disclosing the relationship between the reviewers and the company.
2. Violations of the CAN-SPAM Act
Verkada violated Section 5(a) of the CAN-SPAM Act (15 U.S.C. § 7704(a)) by failing to:
- Comply with recipients’ opt-out requests, continuing to send commercial emails beyond the 10-day window after receiving opt-out requests;
- Clearly and prominently indicate the opt-out mechanism in marketing emails;
- Provide a valid postal address in commercial emails, as required by the CAN-SPAM Act.
Compliance Lessons
Companies handling personal data must consider the risks to such data and implement adequate security measures. Global data protection laws typically require companies to ensure the security, confidentiality, and integrity of personal data. Even without specific privacy regulations, authorities may interpret obligations from general fairness principles, as demonstrated in this case.
Additionally, companies should avoid exaggerating or making false claims about privacy protections or security measures, as this could be seen as deceptive and lead to penalties. Furthermore, email marketing must comply with regulations such as CAN-SPAM, ensuring a clear opt-out mechanism and adherence to recipients' preferences.
