The Federal Trade Commission (FTC) has announced that security camera firm Verkada will pay a $2.95 million penalty following allegations of inadequate data security practices.
This settlement follows a massive data breach that exposed sensitive information from thousands of internet-connected security cameras.
FTC’s Allegations and Legal Action
The FTC’s complaint, filed by the Department of Justice (DOJ), alleges that Verkada failed to implement appropriate information security measures, allowing a hacker to access sensitive video footage and personal data.
Between December 2020 and March 2021, the breach affected over 150,000 cameras, including those in psychiatric hospitals and women’s health clinics.
The hacker accessed video footage and customer information such as physical addresses and WiFi credentials.
In addition to the data security failures, the FTC accused Verkada of violating the CAN-SPAM Act by inundating prospective customers with commercial emails.
These emails lacked essential compliance features, such as an option to unsubscribe, and failed to honor opt-out requests.
Misleading Claims and Misrepresentations
The complaint further alleges that Verkada misled consumers regarding its compliance with data protection regulations, including the Health Insurance Portability and Accountability Act (HIPAA) and the EU-U.S. Privacy Shield framework.
Despite claiming to use “best-in-class data security tools,” Verkada’s practices fell short of these standards.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
Moreover, the FTC highlighted that Verkada failed to disclose that some positive online reviews were written by its employees and a venture capital investor.
This lack of transparency further eroded consumer trust in the company’s products and practices.
Settlement and Future Obligations
Under the proposed order requiring federal court approval, Verkada must pay a $2.95 million penalty. This is the largest fine the FTC has obtained for a CAN-SPAM Act violation.
Additionally, Verkada is required to develop and implement a comprehensive information security program, which will undergo third-party audits to ensure compliance with data protection standards.
The order also prohibits Verkada from misrepresenting its privacy and data security practices and mandates compliance with the CAN-SPAM Act. These measures aim to prevent future violations and protect consumer data more effectively.
Industry Implications and Official Statements
This case underscores the critical importance of robust data security measures, especially for security companies.
“When customers invite companies into private spaces to monitor consumers, they expect those companies to provide basic levels of security, which Verkada failed to do,” stated Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.
Brian M. Boynton, Principal Deputy Assistant Attorney General of the DOJ’s Civil Division, emphasized the broader implications: “This settlement underscores the importance of robust data security measures.
Failure to protect sensitive information puts consumers at risk.”The FTC’s action against Verkada is a stark reminder to companies about the consequences of inadequate data protection and misleading consumer practices.
As the digital landscape continues to evolve, the need for stringent security protocols and transparency in consumer interactions remains paramount.
The FTC’s ongoing efforts to promote competition and protect consumers highlight its commitment to holding companies accountable for their data security practices.
Consumers are encouraged to stay informed about their rights and report any fraudulent activities to the FTC.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial