Skip to main content

Imagine laying in a hospital bed and suddenly feeling like you’re being watched—but not by hospital staff. According to a complaint filed by the Department of Justice upon notification and referral from the FTC, surveillance camera company Verkada Inc. failed to provide reasonable security for the personal information it collected—including 150,000 live camera feeds in sensitive areas like psychiatric hospitals, women’s health clinics, elementary schools, and prison cells.

These failures allowed a threat actor, in March 2021, to remotely access Verkada’s customer camera feeds and watch consumers live, without their knowledge or consent. Despite the invasive security breach, Verkada remained unaware of the threat actor’s intrusive exploration until the threat actor self-reported the hack to the media.

The vast majority of Verkada’s customers throughout the U.S. and abroad include small businesses spanning multiple industries, including education, government, healthcare, and hospitality. Given the company’s extensive reach, odds are you’ve been captured by one of Verkada’s security cameras and not even know it.

But the FTC says the compromise went beyond Verkada’s security cameras. According to the complaint, the threat actor also exfiltrated data about Verkada’s own customers, mostly businesses, including: names, email addresses, physical addresses, usernames and password hashes, geolocation data for security cameras…and the list goes on.

Verkada’s security failures are in stark contrast to its many public promises to keep personal and customer information safe. According to the complaint, Verkada’s own privacy policy claimed “[a]t Verkada, we take customer privacy seriously,” and “[w]e will use best-in-class data security tools and best practices to keep your data safe and protect the Verkada Products from unauthorized access.” Also, Verkada publicly promised that it was HIPAA certified or compliant and that it followed the EU-U.S. and Swiss-U.S. Privacy Shield principles. The FTC’s complaint alleges that all these representations were deceptive.

But poor data security is only part of the story. The complaint also claims Verkada misrepresented that online consumer ratings and reviews of the company and its products reflected the experiences or opinions of ordinary, impartial customers. In reality, the FTC says Verkada employees submitted five-star reviews and ratings. In another twist, the complaint also claims Verkada’s email marketing practices violated the CAN-SPAM Act. For instance, in 2021, Verkada sent over 22 million (often unwelcome) marketing emails to prospective customers but failed to honor “unsubscribe” requests on numerous occasions, did not include a valid physical postal address in its marketing emails, and didn’t provide a clear and conspicuous “opt-out” notice in its commercial emails.

To settle the FTC’s case, the company has agreed to a proposed order that prohibits Verkada from: (1) misrepresenting its privacy and security practices, (2) misrepresenting its compliance with HIPAA and Privacy Shield, (3) misrepresenting the status of any person leaving online reviews or ratings about the company, and (4) violating the CAN-SPAM Act. The proposed order will also require Verkada to implement an information security program, including encryption of information and multi-factor authentication to access such information. This information security program will be subject to outside assessments. With respect to Verkada’s CAN-SPAM Act [link] violations, the company will pay a civil penalty of $2.95 million to settle allegations that its aggressive marketing tactics violated the law.

What key points can your company take away from the FTC’s action against Verkada?

Hold up your company’s data security practices next to the Verkada complaint allegations. Notice any similarities? While appropriate data security is very specific to your organization, it is helpful to review examples where Verkada failed to secure the information it maintained. For example, the FTC charged that the company failed to implement unique and complex passwords and lacked appropriate alerts and monitoring for unauthorized attempts to transfer personal and customer information. Once you’ve reviewed your company’s data security practices, go one step further and make sure that what your company is saying about those practices is true.

Don’t fake it until you make it . . . we can tell. Through this law enforcement action and a recent rule banning fake reviews and testimonials, the FTC continues to send a clear message to companies about fake online reviews and ratings: You can’t mislead consumers by pretending to be a customer and leaving a glowing review of your own business’s product or service online. Your employees, contractors, investors, or anyone associated with your company must clearly disclose their relationship if making an online endorsement.

Consider a CAN-SPAM compliance check for your business. If you’ve never heard of the CAN-SPAM Act or it’s been a while since you’ve taken a close look at your email marketing policies, read the FTC’s CAN-SPAM Act: A Compliance Guide for Business. This guide outlines helpful compliance tips, such as honoring email recipient opt-out requests in a timely manner and including your business address in your email marketing messages. Review these tips to make sure your marketing dreams don’t become marketing nightmares. 

Tags:

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

More from the Business Blog

Get Business Blog updates

 
Return to top