FTC Takes Action Against Security Camera Firm Verkada over Charges it Failed to Secure Videos Other Personal Data and Violated CANSPAM Act Federal Trade Commission
pAn official website of the United States governmentppHeres how you knowpp
The gov means its official
Federal government websites often end in gov or mil Before sharing sensitive information make sure youre on a federal government site
pp
The site is secure
The https ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely
ppWe enforce federal competition and consumer protection laws that prevent anticompetitive deceptive and unfair business practicesppView EnforcementppFind legal resources and guidance to understand your business responsibilities and comply with the lawppBrowse legal resourcesppView all Competition Matters Blog postsppWe work to advance government policies that protect consumers and promote competitionppView PolicyppFind legal resources and guidance to understand your business responsibilities and comply with the lawppBrowse legal resourcesppMemo from Chair Lina M Khan to commission staff and commissioners regarding the vision and priorities for the FTCppLearn moreppView all Technology Blog postsppLearn more about your rights as a consumer and how to spot and avoid scams Find the resources you need to understand how consumer protection law impacts your businessppVisit militaryconsumergovppVisit consumergovppVisit Competition CountsppCompetition GuidanceppView News and EventsppView more EventsppSign up for the latest newsppVisit the Noncompetes feature page for more information including factsheets featuring stories on how the rule can benefit AmericansppExplore refund statistics including where refunds were sent and the dollar amounts refunded with this visualizationppOur mission is protecting the public from deceptive or unfair business practices and from unfair methods of competition through law enforcement advocacy research and educationppLearn more about the FTCppLina M Khan was sworn in as Chair of the Federal Trade Commission on June 15 2021ppChair Lina M KhanppLooking for legal documents or records Search the Legal Library insteadppLooking for legal documents or records Search the Legal Library insteadppTagsppThe Federal Trade Commission will require security camera firm Verkada to develop and implement a comprehensive information security program to settle allegations the company failed to use appropriate information security practices which allowed a hacker to access customers security camerasppUnder a proposed order which must be approved by a federal judge before it can go into effect Verkada will also be required to pay a 295 million monetary penalty to settle allegations the company inundated prospective customers with commercial emails in violation of the CANSPAM Act the largest penalty obtained by the FTC for a CANSPAM violationppA complaint filed by the Department of Justice DOJ upon notification and referral from the FTC alleged that Verkada failed to use appropriate information security practices to protect consumers personal information which allowed a hacker to access internetconnected security cameras and view patients in psychiatric hospitals and womens health clinics The complaint also charged that Verkada was aware that employees and a venture capital investor posted positive ratings and reviews of Verkada and its products but failed to disclose their association or current employment status with Verkada ppThe complaint also alleged that Verkada violated the CANSPAM Act Controlling the Assault of NonSolicited Pornography and Marketing by flooding prospective customers with a barrage of commercial emails and failing to include the option to unsubscribe or optout honor optout requests and provide a physical postal address in the emailsppWhen customers invite companies into private spaces to monitor consumers by using their security cameras and other products they expect those companies to provide basic levels of security which Verkada failed to do said Samuel Levine Director of the FTCs Bureau of Consumer Protection Companies that fail to secure and protect consumer data can expect to be held responsibleppThis settlement underscores the importance of robust data security measures especially for companies that are themselves in the security industry Failure to protect sensitive information puts consumers at risk said Brian M Boynton Principal Deputy Assistant Attorney General of the Department of Justices Civil Division We will continue to work with the FTC to hold companies accountable for such violationsppCaliforniabased Verkada sells IPenabled security cameras and other physical security offerings to thousands of customers both in the United States and overseas including those that operate from sensitive locations like schools and hospitals In its privacy policy press releases blog posts and other materials Verkada claimed it takes data security and customer privacy seriously For example in its privacy policy in 2018 the company claimed it uses bestinclass data security tools and best practices to keep your data safe and protect the Verkada Products from unauthorized accessppThe complaint alleges that despite such claims Verkada failed to provide appropriate security measures to protect the personal information it collects which includes sensitive video footage from its security cameras as well as data about customer accounts such as names email addresses passwords and site floorplans For example the company failed to require unique and complex passwords adequately encrypt customer data and implement secure network controlsppAs a result of these security failures the complaint alleges the company experienced at least two security breaches between December 2020 and March 2021 In the March 2021 breach the hacker had access to over 150000 live Verkada customer cameras as well as other customer information such as physical addresses audio recordings and customer WiFi credentialsppAdditionally Verkada misled consumers with respect to its compliance with the Health Insurance Portability and Accountability Act of 1996 HIPAA the EUUS Privacy Shield framework and the SwissUS Privacy Shield framework According to the complaint Verkadas security practices were not compliant with either HIPAA or either Privacy Shield frameworkppThe complaint further alleges that Verkada also misled consumers by failing to disclose that certain online consumer ratings and reviews of its camera products were written by Verkada employees and a venture capital investor according to the complaint For example a venture capitalist who invested in Verkada posted a fivestar rating and positive review on Google Maps ppLastly the complaint alleges that Verkada violated the CANSPAM Act in several ways According to the complaint Verkada relied on commercial email campaigns to help market its products sending more than 30 million commercial emails over a threeyear period Verkadas commercial emails violated the CANSPAM Act in four ways including not honoring email recipients requests to unsubscribeppIn addition to the monetary penalty the proposed order also will prohibit the company from making misrepresentations about Verkadas privacy and data security practices and require it to implement a comprehensive information security program with thirdparty audits The proposed order also will prohibit Verkada from violating the CANSPAM ActppThe Commission voted 50 to refer the complaint and stipulated order to DOJ The DOJ filed the complaint and stipulated order in the US District Court for the Northern District California Commissioner Melissa Holyoak issued a separate concurring statementppNOTE The Commission authorizes the filing of a complaint when it has reason to believe that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest Stipulated orders have the force of law when approved and signed by the District Court judgeppThe lead staff attorneys on this matter are Jacqueline Ford and Kamay Lafalaise from the FTCs Bureau of Consumer ProtectionppThe Federal Trade Commission works to promote competition and protect and educate consumers The FTC will never demand money make threats tell you to transfer money or promise you a prize Learn more about consumer topics at consumerftcgov or report fraud scams and bad business practices at ReportFraudftcgov Follow the FTC on social media read consumer alerts and the business blog and sign up to get the latest FTC news and alertsppBlog FTC Says Surveillance Camera Company Verkada Has A Lotta Explaining To Do After Lax Data Security Practices and Morep
The gov means its official
Federal government websites often end in gov or mil Before sharing sensitive information make sure youre on a federal government site
pp
The site is secure
The https ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely
ppWe enforce federal competition and consumer protection laws that prevent anticompetitive deceptive and unfair business practicesppView EnforcementppFind legal resources and guidance to understand your business responsibilities and comply with the lawppBrowse legal resourcesppView all Competition Matters Blog postsppWe work to advance government policies that protect consumers and promote competitionppView PolicyppFind legal resources and guidance to understand your business responsibilities and comply with the lawppBrowse legal resourcesppMemo from Chair Lina M Khan to commission staff and commissioners regarding the vision and priorities for the FTCppLearn moreppView all Technology Blog postsppLearn more about your rights as a consumer and how to spot and avoid scams Find the resources you need to understand how consumer protection law impacts your businessppVisit militaryconsumergovppVisit consumergovppVisit Competition CountsppCompetition GuidanceppView News and EventsppView more EventsppSign up for the latest newsppVisit the Noncompetes feature page for more information including factsheets featuring stories on how the rule can benefit AmericansppExplore refund statistics including where refunds were sent and the dollar amounts refunded with this visualizationppOur mission is protecting the public from deceptive or unfair business practices and from unfair methods of competition through law enforcement advocacy research and educationppLearn more about the FTCppLina M Khan was sworn in as Chair of the Federal Trade Commission on June 15 2021ppChair Lina M KhanppLooking for legal documents or records Search the Legal Library insteadppLooking for legal documents or records Search the Legal Library insteadppTagsppThe Federal Trade Commission will require security camera firm Verkada to develop and implement a comprehensive information security program to settle allegations the company failed to use appropriate information security practices which allowed a hacker to access customers security camerasppUnder a proposed order which must be approved by a federal judge before it can go into effect Verkada will also be required to pay a 295 million monetary penalty to settle allegations the company inundated prospective customers with commercial emails in violation of the CANSPAM Act the largest penalty obtained by the FTC for a CANSPAM violationppA complaint filed by the Department of Justice DOJ upon notification and referral from the FTC alleged that Verkada failed to use appropriate information security practices to protect consumers personal information which allowed a hacker to access internetconnected security cameras and view patients in psychiatric hospitals and womens health clinics The complaint also charged that Verkada was aware that employees and a venture capital investor posted positive ratings and reviews of Verkada and its products but failed to disclose their association or current employment status with Verkada ppThe complaint also alleged that Verkada violated the CANSPAM Act Controlling the Assault of NonSolicited Pornography and Marketing by flooding prospective customers with a barrage of commercial emails and failing to include the option to unsubscribe or optout honor optout requests and provide a physical postal address in the emailsppWhen customers invite companies into private spaces to monitor consumers by using their security cameras and other products they expect those companies to provide basic levels of security which Verkada failed to do said Samuel Levine Director of the FTCs Bureau of Consumer Protection Companies that fail to secure and protect consumer data can expect to be held responsibleppThis settlement underscores the importance of robust data security measures especially for companies that are themselves in the security industry Failure to protect sensitive information puts consumers at risk said Brian M Boynton Principal Deputy Assistant Attorney General of the Department of Justices Civil Division We will continue to work with the FTC to hold companies accountable for such violationsppCaliforniabased Verkada sells IPenabled security cameras and other physical security offerings to thousands of customers both in the United States and overseas including those that operate from sensitive locations like schools and hospitals In its privacy policy press releases blog posts and other materials Verkada claimed it takes data security and customer privacy seriously For example in its privacy policy in 2018 the company claimed it uses bestinclass data security tools and best practices to keep your data safe and protect the Verkada Products from unauthorized accessppThe complaint alleges that despite such claims Verkada failed to provide appropriate security measures to protect the personal information it collects which includes sensitive video footage from its security cameras as well as data about customer accounts such as names email addresses passwords and site floorplans For example the company failed to require unique and complex passwords adequately encrypt customer data and implement secure network controlsppAs a result of these security failures the complaint alleges the company experienced at least two security breaches between December 2020 and March 2021 In the March 2021 breach the hacker had access to over 150000 live Verkada customer cameras as well as other customer information such as physical addresses audio recordings and customer WiFi credentialsppAdditionally Verkada misled consumers with respect to its compliance with the Health Insurance Portability and Accountability Act of 1996 HIPAA the EUUS Privacy Shield framework and the SwissUS Privacy Shield framework According to the complaint Verkadas security practices were not compliant with either HIPAA or either Privacy Shield frameworkppThe complaint further alleges that Verkada also misled consumers by failing to disclose that certain online consumer ratings and reviews of its camera products were written by Verkada employees and a venture capital investor according to the complaint For example a venture capitalist who invested in Verkada posted a fivestar rating and positive review on Google Maps ppLastly the complaint alleges that Verkada violated the CANSPAM Act in several ways According to the complaint Verkada relied on commercial email campaigns to help market its products sending more than 30 million commercial emails over a threeyear period Verkadas commercial emails violated the CANSPAM Act in four ways including not honoring email recipients requests to unsubscribeppIn addition to the monetary penalty the proposed order also will prohibit the company from making misrepresentations about Verkadas privacy and data security practices and require it to implement a comprehensive information security program with thirdparty audits The proposed order also will prohibit Verkada from violating the CANSPAM ActppThe Commission voted 50 to refer the complaint and stipulated order to DOJ The DOJ filed the complaint and stipulated order in the US District Court for the Northern District California Commissioner Melissa Holyoak issued a separate concurring statementppNOTE The Commission authorizes the filing of a complaint when it has reason to believe that the named defendant is violating or is about to violate the law and it appears to the Commission that a proceeding is in the public interest Stipulated orders have the force of law when approved and signed by the District Court judgeppThe lead staff attorneys on this matter are Jacqueline Ford and Kamay Lafalaise from the FTCs Bureau of Consumer ProtectionppThe Federal Trade Commission works to promote competition and protect and educate consumers The FTC will never demand money make threats tell you to transfer money or promise you a prize Learn more about consumer topics at consumerftcgov or report fraud scams and bad business practices at ReportFraudftcgov Follow the FTC on social media read consumer alerts and the business blog and sign up to get the latest FTC news and alertsppBlog FTC Says Surveillance Camera Company Verkada Has A Lotta Explaining To Do After Lax Data Security Practices and Morep
