FTC Imposes Record Penalty on Verkada for Data Security Failures and CAN-SPAM Violations
On August 30, 2024, the Federal Trade Commission (FTC) released a proposed order against the security camera firm Verkada, requiring the company to develop and implement a comprehensive information security program. This action followed allegations that Verkada’s inadequate security practices allowed a hacker to gain access to customers’ security cameras. The proposed order must be approved by a federal judge before it can go into effect.
Key Points
- Verkada will be required to pay a $2.95 million fine for violating the CAN-SPAM Act, marking the largest penalty the FTC has ever imposed for such a violation. This penalty addresses allegations that Verkada flooded customers with commercial emails without proper unsubscribe options;
- The company is also required to create and enforce a comprehensive information security program to address data security failures. This includes third-party audits to ensure compliance;
- The FTC’s complaint, filed by the Department of Justice (DOJ), alleges that Verkada’s inadequate security practices allowed a hacker to access sensitive video footage from its security cameras. This breach affected data from psychiatric hospitals and women’s health clinics;
- Verkada is accused of failing to implement basic security measures such as unique passwords, data encryption, and secure network controls;
- Verkada is charged with misleading consumers about its adherence to data protection standards including HIPAA and the EU-U.S. and Swiss-U.S. Privacy Shield frameworks;
- The company is also accused of misleading consumers by not disclosing that some positive online reviews of its products were written by its employees and a venture capital investor;
- The proposed order will prohibit Verkada from making false claims about its privacy and data security practices. It will also enforce compliance with the CAN-SPAM Act and require regular third-party audits of its security practices.
Implications for Businesses
The FTC’s action highlights the need to regularly review and update your data security practices to ensure they comply with best practices and regulatory requirements. Businesses are advised to assess their current security and marketing practices to adhere to current regulations.
NEED HELP WITH PRIVACY LAW COMPLIANCE?
The CommLaw Group Can Help!
If your company has questions about its data privacy obligations under state and federal laws or would like to reassess its data collection and processing practices in compliance with state regulation, please contact us:
Linda McReynolds – Tel: 703-714-1318 / E-mail: lgm@commlawgroup.com
Diana James – Tel: 703-663-6757 / E-mail: daj@commlawgroup.com