On August 30, 2024, the Federal Trade Commission (FTC) announced a proposed settlement with security camera manufacturer Verkada Inc., claiming Verkada committed a variety of unfair or deceptive acts or practices in violation of § 5 of the Federal Trade Commission Act and CAN-SPAM in connection with a security breach.  (The U.S. Department of Justice filed that complaint and proposed stipulated joint order on behalf of the FTC.)  Verkada does not admit or deny the claims (Order, para. 4).

Background

According to the complaint, Verkada developed and sold security cameras and other surveillance products to businesses, including schools and medical facilities.  Between 2019 and 2021, Verkada sold over 240,000 cameras, which were linked to Verkada’s platform, which enabled customers to have remote access to the cameras and stored surveillance footage.  Verkada collected metadata about the security camera usage (including IP addresses and locations) as well as customer names, addresses, usernames and passwords, site floorplans, names of organizational contacts and Wi-Fi credentials.

The video cameras collected images of individuals, including patients and schoolchildren, as well as sensitive personal information (including medical records).  The complaint states that Verkada offered its customers “People Analytics,” which allowed customers to search through video images collected for gender, clothing color, and/or to use facial recognition.

According to the complaint, Verkada’s website made several claims about its security practices, including claims that it was HIPAA certified and compliant with the EU-US Privacy Shield.  The complaint alleges the Verkada sent out large numbers of commercial emails, but did not include functional opt-out features, and also did not honor opt-outs it did receive.  The complaint also claims that Verkada also did not include a clear and conspicuous opportunity to opt-out in emails and did not consistently include a physical postal address.

Paragraph 20 of the complaint asserts that Verkada did not take reasonable measures to secure the customer and consumer data, listing “Defendant’s information security failures” as follows:

            a.         Impose reasonable access management controls such as:

            i.          requiring unique and complex passwords (i.e., long passwords not used by the individual for any other online service);

            ii.         enforcing role-based access controls to safeguard personal information, such as implementing the principle of least privilege and requiring multi-factor authentication for account access across all of Defendant’s systems;

            iii.         issuing alerts for activities, such as unsuccessful logins to administrative accounts and the addition or removal of any account with administrative privileges;

            b.         Prevent data loss by establishing data protection controls, such as:

            i.          performing data discovery and categorization for all sensitive personal information to ensure it is appropriately protected during transmission and storage;

            ii.         implementing a data loss prevention solution that monitors for suspicious activities such as unauthorized data access and exfiltration; and

            iii.         performing regular assessments to determine the effectiveness of protection measures;

            c.         Implement centralized logging and alerting capabilities;

            d.         Develop adequate security vulnerability management standards, policies, procedures, and practices such as:

            i.           testing, auditing, assessing, or reviewing its products, or applications; security features; and

            ii.         conducting regular risk assessments, vulnerability scans, and penetration testing of its networks and databases;

            e.         Implement secure network controls, such as disabling unnecessary ports, protocols, and services, and properly configuring firewall settings;

            f.          Adequately encrypt customer’s data in transit or at rest; and

            g.         Develop adequate written information security standards, policies, procedures, and practices; assess or enforce compliance with the written standards, policies, procedures, and practices that it did have; and implement training for employees (including engineers) regarding such standards, policies, procedures and practices.

Paragraph 3 of the complaint states that these “failures allowed a threat actor to access Defendant’s customer support accounts, view customer cameras, and access personal information relating to customers and consumers.”

The complaint included two counts of unfair information security practices in violation of § 5 of the FTC Act (one count for consumers and one for business customers); and five counts of deception in violation of § 5 (two counts of information security misrepresentations; one for HIPAA compliance misrepresentations; one for Privacy Shield misrepresentations; and two counts related to failure to disclose some online reviews were from individuals with “material connections” to Verkada and thus were not “impartial”).  The complaint also included 3 counts relating to CAN-SPAM (failure to honor opt-outs; failure to provide notice of opt-out opportunity; and failure to provide physical postal address).  CAN-SPAM includes civil penalties, and these formed the basis of the $2.95 million proposed settlement.

The proposed order contains many provisions similar to previous FTC settlements, but there are a few items that are particularly noteworthy:

“Customer Information” [note this is not “consumer” information] includes not only user account credentials and email addresses, but also site floorplans, names and titles of customer contacts, Wi-Fi credentials; metadata about product usage and “access control elements, including access levels, access groups, and badge numbers.”

“Personal information” includes not only names, addresses, and birthdates, but also live camera footage, video archives, still images or photos, and audio recordings.

The proposed order would last for 20 years and prohibits misrepresentations and violations of CAN-SPAM, and it would require that company implement an information security program (including someone responsible for overseeing it as well as multi-factor authentication), and third-party assessments.  The proposed order contains an interesting prohibition on the third party assessor:  “No finding of any Assessment shall rely primarily on assertions or attestations by Defendant’s management.”

Our Take

There seems to be a trend developing among regulators, outlining the elements of “reasonable security.”  This proposed judgment marks the third within two months that focuses on what is (or is not) “reasonable security.”  The first settlement involved the New York Attorney General’s interpretation of New York’s SHIELD Act (see our write-up here); the second consent involved the California Attorney General’s requirements (involving Blackbaud, here); and this one is from the Federal Trade Commission.

Yet these three regulators, acting under very different laws, found that “reasonable security” includes all of the following elements, which certainly are not sufficient to demonstrate “reasonable security,” but all of which these regulators found to be necessary:

  • Designation of an individual in charge of the information security program
  • Encryption of personal data,
  • Intrusion detection and prevention;
  • Multi-factor authentication,
  • Password management, and
  • Segmentation/limiting access.

And each proposed settlement included a multi-million-dollar payment.

Importantly, here the FTC did not just focus on personal information of consumers, but confidential business information of Verkada’s customers.  This expansion is a significant addition as breach notification laws focus entirely on personal information and, absent contract or affirmative representations, a victim of a security incident is not obligated to notify another business of the loss of their business information.