The Federal Trade Commission (FTC) has mandated that security camera firm Verkada develop and implement a comprehensive information security program to settle allegations of inadequate information security practices, which allowed a hacker to access customers' security cameras.

Under the proposed order, pending federal judge approval, Verkada will also pay a $2.95 million penalty for inundating prospective customers with commercial emails in violation of the CAN-SPAM Act. This is the largest penalty obtained by the FTC for a CAN-SPAM violation.

A complaint filed by the Department of Justice (DOJ), following notification from the FTC, alleged that Verkada's poor information security practices enabled a hacker to access internet-connected security cameras, exposing sensitive footage from psychiatric hospitals and women's health clinics. The complaint also accused Verkada of failing to disclose that employees and a venture capital investor posted positive reviews about its products without revealing their association with the company.

The complaint further alleged that Verkada violated the CAN-SPAM Act by sending numerous commercial emails without providing an option to unsubscribe or opt-out, honoring opt-out requests, or including a physical postal address in the emails.

"When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do," said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. "Companies that fail to secure and protect consumer data can expect to be held responsible."

"This settlement underscores the importance of robust data security measures, especially for companies that are themselves in the security industry. Failure to protect sensitive information puts consumers at risk," said Brian M. Boynton, Principal Deputy Assistant Attorney General of the DOJ’s Civil Division. "We will continue to work with the FTC to hold companies accountable for such violations."

Verkada, based in California, sells IP-enabled security cameras and other physical security offerings globally. Despite claims in its privacy policy and other materials about prioritizing data security and customer privacy, Verkada allegedly failed to implement adequate measures such as requiring unique passwords and encrypting customer data.

The complaint states that these lapses led to at least two breaches between December 2020 and March 2021. In one breach, a hacker accessed video footage from over 150,000 cameras along with other customer information.

Additionally, Verkada misled consumers regarding its compliance with HIPAA and Privacy Shield frameworks. The company also did not disclose that certain online reviews were written by employees or investors associated with it.

The proposed order includes prohibitions against making false statements about privacy and data security practices and mandates third-party audits of Verkada's new information security program. It also bars further violations of the CAN-SPAM Act.

The FTC voted unanimously (5-0) to refer this matter to DOJ. The DOJ subsequently filed it in U.S. District Court for Northern District California. Commissioner Melissa Holyoak issued a concurring statement.

The lead staff attorneys on this case are Jacqueline Ford and Kamay Lafalaise from the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission works towards promoting competition while protecting and educating consumers on various topics related to fraud prevention through its website consumer.ftc.gov.