Verkada, a manufacturer and retailer of security cameras, has settled FTC accusations of lax security measures. The company sells its products to businesses, including schools and medical facilities. It markets its products as “plug and play:” the cameras connect to the cloud and allow customers’ remote access into both live and archived video footage. Among other features, the cameras have a “people analytics” tool that lets users “search images through facial recognition or face-matching technology.” A review of the settlement raises many reminders for companies about (1) security claims in privacy policies and marketing, (2) remediation concerns following a breach, (3) adherence to the Privacy Shield, and (4) a reminder about related (and often overlooked) laws like CAN-SPAM.

The Company’s Marketing Practices and Security Claims

As part of its marketing, the company made a variety of security claims and had engaged in other marketing activities with which the FTC had concerns:

• It was both “HIPAA certified” and compliant with the EU US Privacy Shield;
• In its privacy policy it said “we take customer privacy seriously” and that it uses “industry-standard methods to keep [customer] information safe and secure;”
• In other materials it claimed that the product is “secure out of the box” and that the company “pull[s] out all the stops to ensure that your data is protected as it is transmitted over the network;”
• Employees and investors posted positive reviews without disclosing their affiliation with the company; and
• The company engaged in an aggressive email campaign marketing its products.

The Data Incidents and Remediation Recommendations

The FTC’s investigation of the company followed two data breaches. The first was in December 2020. At the time, a threat actor was able to install malware in Verkada’s AWS environment. According to the complaint, the company did not discover this for three weeks because of insufficient alert capabilities. As part of the incident, the company hired a forensic firm that recommended certain remediation measures. It then also hired a cybersecurity firm to provide recommendations, which recommended several remediation steps. These included improvements in monitoring and logging. According to the FTC, these recommendations were not implemented. In March 2021, another threat actor was able to infiltrate the system. This time, by accessing an administrative level account. In this second attack, hackers accessed live cameras and stole sensitive personal information of 115,000 customers. Through the live cameras, hackers watched hospital patients sleeping, children playing inside of a room, and prisoners in their cells.

The Settlement

The FTC argued that the company had engaged in multiple legal violations, including insufficient security measures as required by HIPAA and deceptive privacy claims in violation of Section 5 of the FTC Act. Deceptiveness violations included:

• Claiming that it was complying with the Privacy Shield program: although the program is no longer viewed as adequate by the EU, the FTC found the company needed to adhere to its requirements if it was making public statements that it was doing so; and
• Making misleading claims like the online reviews, and privacy policy and website statements about security.

Finally, the FTC also found the company had violated CAN-SPAM by, among other things, not including an opt-out mechanism or valid physical address. As part of the stipulated order, Verkada will not only pay an almost $3 million civil penalty. It has also agreed to, among other things, update its access controls and implement multi-factor authentication. It has also agreed perform an annual test of its systems and only engage with vendors who can adequately protect personal information. Verkada has also agree to submit certifications of security compliance to the Commission annually for twenty years.

Putting It Into Practice: This case included many reminders for companies about FTC privacy and security risks and potential “hooks” that can be used in the event of a breach. Among these are promises made in privacy policies and marketing materials about security measures. Also of concern can be remediation recommendations that are not implemented, including following a data incident.