The Justice Department and the Federal Trade Commission (FTC) announced today that Verkada Inc., a cloud-based security company headquartered in San Mateo, California, has agreed to a settlement requiring it to pay a $2.95 million civil penalty and implement extensive data security measures. This settlement resolves allegations that Verkada violated the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act and engaged in unfair and deceptive practices in violation of the Federal Trade Commission Act.
In a complaint filed in the U.S. District Court for the Northern District of California, the United States alleges that Verkada failed to implement reasonable security measures such as appropriate access management and data protection controls and adequate encryption of customer data. These failures allegedly exposed sensitive information — including security-camera footage of consumers visiting locations like hospitals and schools — to unauthorized access. The complaint additionally alleges that Verkada misrepresented the extent to which it used appropriate data security safeguards and complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The complaint also alleges that Verkada sent numerous promotional emails that failed to clearly and conspicuously notify recipients of their opportunity to opt out of such messages, failed to include a valid physical postal address, and did not honor requests to opt out from its promotional emails within ten business days of receiving those requests, all in violation of the CAN-SPAM Act.
To resolve the lawsuit, the parties agreed to a settlement reflected by the stipulated order issued today by the Court. The stipulated order requires Verkada to pay a $2.95 million civil penalty and comply with the CAN-SPAM Act, including honoring requests to opt out of its commercial emails. The stipulated order also prohibits Verkada from misrepresenting its data security practices and requires it to establish a comprehensive information security program and undergo regular third-party assessments of its data security practices.
“This settlement underscores the importance of robust data security measures, especially for companies that are themselves in the security industry. Failure to protect sensitive information puts consumers at risk,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will continue to work with the FTC to hold companies accountable for such violations.”
“When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do,” said Director Samuel Levin of the FTC’s Bureau of Consumer Protection. “Companies that fail to secure and protect consumer data can expect to be held responsible.”
Trial Attorneys Cameron A. Brown and Amanda K. Kelly, Senior Trial Attorney James T. Nelson, Assistant Director Zachary A. Dietert of the Civil Division’s Consumer Protection Branch, and Assistant U.S. Attorney Vivian Wang for the Northern District of California are handling the case in coordination with staff from FTC’s Division of Privacy and Identity Protection.
For more information about the Consumer Protection Branch's enforcement efforts visit www.justice.gov/civil/consumer-protection-branch; for more on FTC visit www.FTC.gov.