Verkada reaches settlement with FTC

SAN MATEO, Calif. — Verkada has reached an agreement with the Federal Trade Commission (FTC) resolving an investigation into a data security incident in March 2021 and, separately, marketing practices from 2019-21.  

“We do not agree with the FTC's allegations, but we have accepted the terms of this settlement so that we can move forward with our mission and focus on protecting people and places in a privacy-sensitive way,” the company said in an online statement. 

Data security incident 

As part of the settlement, Verkada will have to develop and implement a comprehensive information security program that includes, among other things, third-party audits, to prevent hackers from being able to access the security cameras of its customers. 

“When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a press release. “Companies that fail to secure and protect consumer data can expect to be held responsible.” 

In March 2021, attackers compromised Verkada’s platform, gaining access to security camera footage for 97 of its then 6,000 customers.  

“It is important to note that only some of the 150,000 live customer cameras the hacker had access to were actually accessed,” a company representative stated in an email to Security Systems News. “There is no evidence that the hacker accessed more than a subset of the cameras owned by 97 customers (out of approximately 6,000 total customers at the time).”  

Verkada says it was able to contain the attackers within two hours of discovering that its platform had been compromised. Additionally, since the incident, the company has achieved both SOC 2 Type1 and SOC 2 Type 2 compliance, among other certifications, to bolster its data security.  

Marketing practices 

While Verkada did not pay a fine for the data security incident, the company did agree to pay $2.95 million to resolve the FTC’s claims that the company did not follow certain CAN-SPAM Act requirements, such as the requisite language in email footers and certain opt-out protocols. 

“We disagree with their allegations, but more importantly, we overhauled our CAN-SPAM compliance starting in 2019,” the company said in an online statement. “We have acquired tools and platforms to better facilitate CAN-SPAM compliance, made it easier to opt-out from our promotional emails by establishing a dedicated webpage where customers can control their email preferences, mandated use of a standardized email footer that always includes a physical address and a link to the webpage, and adopted more robust policies and training. We continue to prioritize these efforts.”