Security Camera Vendor Fined $2.95 Million for Alleged Violations of FTC Act and CAN-SPAM Act
The Federal Trade Commission (FTC) has proposed a $2.95 million financial penalty for the Californian security camera vendor Verkada to resolve allegations the company violated the FTC Act by failing to implement appropriate information security practices and violated the CAN-SPAM Act by bombarding customers with emails without providing a way to unsubscribe.
Verkada’s IP-enabled security cameras provide live video feeds and record and store video footage in Amazon Web Services (AWS) storage. The cameras are used in many sensitive locations, including psychiatric hospitals, women’s health clinics, prisons, and schools. Verkada claimed it takes data security and customer privacy seriously and said the company uses best-in-class security tools and best practices to ensure that customer data is kept safe and is prevented from unauthorized access. The FTC alleged that appropriate security measures had not been implemented. For example, the company did not require unique and complex passwords, had not implemented secure network controls, and did not adequately encrypt customer data. These failures resulted in at least two security breaches between December 2020 and March 2021.
In December 2020, a hacker installed Mirai botnet software on Verkada’s legacy firmware build server after an employee failed to restore the original security settings after working on the server. The server was subsequently used for a range of malicious activities, including conducting denial-of-service attacks on third-party internet addresses. The server was compromised for 2 weeks before the breach was detected and Verkada only discovered the intrusion when AWS flagged the unauthorized activity.
Another security breach occurred in March 2021. A hacking group exploited a flaw in Verkada’s customer support server and gained administrative-level access to the server. The hackers accessed Verkada’s Command platform which provides access to more than 150,000 live camera feeds. The hackers downloaded several gigabytes of video footage, screenshots, and sensitive customer information. The breach was self-disclosed by the hackers, alerting Verkada to the breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The FTC alleged Verkadafailed to use appropriate information security practices to protect sensitive customer information, in violation of section 5(a) of the Federal Trade Commission (FTC) Act. Verkada was also alleged to have misled consumers about compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, as its security practices were not compliant with HIPAA and the two frameworks.
The FTC also alleged a violation of section 7(a) of the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act) for flooding prospective customers with commercial emails and failing to provide an option to unsubscribe or opt out or include a physical address in the emails. Verkada was also accused of knowing that employees and a venture capital investor had posted positive ratings and reviews of its products but failed to disclose their association with the company. The case was referred to the Department of Justice, which filed a complaint seeking a permanent injunction, civil penalties, and other relief.
The FTC’s proposed order requires Verkada to develop and implement a comprehensive information security program, prohibits Verkada from making misrepresentations about its data privacy and security practices, prohibits Verkada from violating the CAN-SPAM Act, and requires Verkada to pay a $2.95 million financial penalty to resolve the alleged violations of the FTC Act and CAN-Spam Act. This is the largest financial penalty obtained by the FTC to resolve a CAN-SPAM Act violation.
“When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies that fail to secure and protect consumer data can expect to be held responsible.”
Verkada said it disagrees with the FTC’s allegations but chose to accept the terms of the settlement to allow the company to move forward, and confirmed that the company will continue to strengthen its security posture. The proposed order must now be approved by a federal judge before it can take effect.
