San Mateo-based Verkada Inc., specializing in cloud-based security, has been hit with a hefty fine and stringent oversight measures following allegations of unlawful email practices and lackluster data protection. As detailed by the U.S. Department of Justice, the company has agreed to a settlement that includes a civil penalty of $2.95 million, rectification of its commercial email practices, and a comprehensive enhancement of its data security infrastructure. The conclusion of this legal skirmish underscores the high stakes in maintaining consumer trust in an increasingly digital world.
The grievances against Verkada included a failure to manage access to sensitive data and inadequate encryption, which exposed hospital and school security footage to potential unauthorized access. According to the U.S. Department of Justice, the company also misrepresented its compliance with the Health Insurance Portability and Accountability Act (HIPAA) and sent promotional emails without clear opt-out instructions or a valid postal address, violating the CAN-SPAM Act.
In resolving these allegations, the stipulated order not only levies the financial penalty but also mandates compliance with the CAN-SPAM Act, which includes honoring opt-out requests for commercial emails. Furthermore, Verkada is now prohibited from misrepresenting its data security practices and must develop and adhere to a rigorous information security program. This program will undergo periodic reviews by third-party assessors to ensure ongoing compliance with the stringent standards.
"This settlement underscores the importance of robust data security measures, especially for companies that are themselves in the security industry. Failure to protect sensitive information puts consumers at risk," Brian M. Boynton, Principal Deputy Assistant Attorney General, remarked, as per the U.S. Department of Justice. The Justice Department and the FTC have committed to holding companies accountable for compromising consumer data protection. "When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do," added FTC’s Bureau of Consumer Protection Director Samuel Levin, pointing out the breach of consumer expectations, as cited by the U.S. Department of Justice.
The case was pursued by a dedicated legal team including Trial Attorneys Cameron A. Brown and Amanda K. Kelly, Senior Trial Attorney James T. Nelson, and Assistant Director Zachary A. Dietert of the Civil Division's Consumer Protection Branch, along with Assistant U.S. Attorney Vivian Wang for the Northern District of California. They worked closely with the FTC's Division of Privacy and Identity Protection to ensure this outcome.