We have a little something different today.

While this is not a TCPA case, there are a lot of lessons to learn in this case for any company concerned with compliance. On Friday, the FTC said it will fine security camera company Verkada $2.95 million because their alleged poor security practices led to a hacker getting access to customer’s devices and accessing consumer personal data.

The alleged incident took place in March of 2021. Per the complaint, the hacker “had access to over 150,000 live customer cameras and viewed patients in psychiatric hospitals (including patients resting in hospital beds) and women’s health clinics, young children playing inside of a room, and incarcerated persons inside of their cells.” After the hacker was done exploring the system, the hacker self-reported it to the media.

Verkada had no idea this happened until the media contacted the company for comment.

This bears repeating: Hacker gets into security camera system. Plays around looking at videos. Contacts media. SECURITY CAMERA COMPANY has no idea until the media asks them about it.

WILD.

Also, prior to the March 2021 event, there were at least two different security assessments done by outside parties. Despite numerous “high level security gaps” in both assessments, Verkada did not address the identified issues.

The FTC’s complaint has eleven different claims, I want to focus on three areas which are widely applicable to readers of TCPA world: (1) Information Security issues, (2) CAN-SPAM violations, and (3) Fake Reviews.

Lack of Basic Information Security Practices

The FTC claims that Verkada “has engaged in multiple practices that, taken individually or together, failed to provide reasonable or appropriate security for the personal information that it collected”. There were some basic precautions that Verkada failed to take here (these are only the highlights, there are more in the complaint):

1. Failure to “impose reasonable access management controls”: This is a basic areas that companies often forget. Not everyone needs access to every piece of data. Companies must ask themselves “Who needs this data and why?”. Once that question is answered reasonable precautions should be taken to protect that data from people who don’t need access to it.
2. Failure to “prevent data loss by establishing data protection controls”: Verkada allegedly didn’t separate sensitive personal information from other data to adequately protect it. If your company has sensitive personal information (which you probably do if the TCPA affects your business), that information needs to be categorized and protected during both transmission and storage.
3. Failure to “adequately encrypt customer’s data in transit or at rest”: This is another area where companies forget to take basic precautions. Encrypt the data you have.
4. Failure to “develop adequate written information security standards, policies, procedures, and practices”: Essentially, per the complaint, Verkada had a “paper information security program”. There was not compliance with the program. There was not training on the program. It was just written down. You must write it down and follow the standards.

CAN-SPAM Violations, really?

Yes, really.

We don’t see a lot of CAN-SPAM violations. Generally, because it’s not that difficult to abide by. You would think that if a company is going to focus on email to the tune of 10x their email volume in 2 years (!!!), that they would at least be CAN-SPAM complaint.

But, not our friends at Verkada.

The FTC alleges that Verkada sent emails out without any way for a consumer to unsubscribe from the emails, they sent out emails without “consistently includ[ing] a physical address, and they failed to honor opt-outs within 10 business days.
Basically, Verkada was not doing any basic email hygiene. Again, this are baffling allegations for a company that went from sending 2 million emails in 2019 to sending over 22 million in 2021. The volume suggests “We run a sophisticated email business”, but the alleged practices suggest “We just blast out emails and hope for the best”.

Fake Reviews too?

The final thing I want to point out is the alleged use of fake reviews.

The FTC claims employees and investors of Verkada posted positive reviews about the company and failed to disclose their relationship with the company.

“As of June 2023, almost 35% of [Verkada]’s Google Maps ratings and reviews were posted by Defendant’s employees or a venture capital investor…In fact, since [Verkada] became aware of the Commission’s investigation, more than ten additional positive ratings and reviews have been posted by individuals associated with [Verkada].”

Wow. FTC gave notice of the investigation and the reviews kept going up. As discussed prior, this is would be a violation of the FTC’s new Fake Reviews Rule.

Again, while not your typical TCPAWorld update, there’s enough meat here to satisfy most readers. Basic compliance tasks can prevent a world of problems from the FTC.