On August 30, 2024, the Federal Trade Commission announced a proposed settlement with Verkada, a security camera firm, in connection with alleged data security failures and CAN-SPAM Act violations. Under the proposed order, Verkada will be required to implement a comprehensive information security program and pay a $2.95 million monetary penalty.

The FTC alleges that Verkada, a company that sells IP-enabled security cameras and other physical security offerings, experienced at least two security breaches between December 2020 and March 2021. According to the FTC’s complaint, Verkada’s failure to use appropriate information security practices to protect consumers’ personal information permitted a hacker to access internet-connected security cameras and view patients in sensitive locations such as psychiatric hospitals and women’s health clinics, including access to over 150,000 live Verkada customer cameras in the March 2021 breach. The hacker also allegedly had access to other customer information, such as physical addresses, floorplans, geolocation data, audio recordings, a “People Analytics” feature and customer wi-fi credentials. Third-party cybersecurity assessments following the 2020-21 breaches identified multiple security gaps that Verkada failed to address.

Verkada’s alleged security failures included failing to require unique and complex passwords, adequately encrypt customer data and implement secure network controls. The FTC also alleges that the company violated the CAN-SPAM Act by inundating prospective customers with commercial emails and failing to include the option to unsubscribe or opt-out, failing to honor opt-out requests, and failing to include a physical postal address in commercial emails. Additional allegations include misleading consumers with respect to the company’s compliance with the Health Insurance Portability and Accountability Act of 1996 and the EU-U.S. and Swiss Privacy Shield frameworks and by failing to disclose that certain online ratings and reviews of products were written by Verkada employees and a venture capital investor.

If approved by a federal judge, the proposed order would:

• Require the company to develop and implement a comprehensive information security program with third-party audits.
• Pay a $2.95 million monetary penalty, the largest penalty obtained by the FTC for a CAN-SPAM violation.
• Prohibit the company from making misrepresentations about Verkada’s privacy and data security practices.
• Prohibit Verkada from violating the CAN-SPAM Act.

The FTC’s complaint reflects the importance of maintaining fundamental security controls, not least of all for companies in the security business, and of adhering to the basic requirements of the CAN-SPAM Act.