Verkada: Data Protection Issues
On Aug. 30, 2024, the Federal Trade Commission filed an agreed lawsuit against Verkada, Inc.1 The FTC makes several allegations in its complaint that range from failure to use appropriate information security practices to protect customers’ and consumers’ personal information collected through the company’s security cameras, making false statements regarding compliance with HIPAA and Privacy Shield, failure to disclose that specific positive reviews were created by people associated with the company, and violations of the CAN-SPAM Act.2 Since I work in email deliverability and privacy/data protection, this is the perfect case for me, so let’s take a deeper look at the data protection issues.
Why is data protection important?
Verkata provides cloud-based building security to organizations ranging from education to government, healthcare to hotels. According to the FTC, the company “protects” by collecting a large amount of data on people. Some of that is expected, such as identifying information regarding customers and users. That information includes things like IP addresses and locations of cameras, the names and physical addresses of customers, usernames and password hashes, site floorplans, the names and titles of organization contacts, and Wi-Fi credentials.3 None of that should be shocking to learn.
Perhaps more concerning to people is the data that they collect about others. Verkada’s security cameras collect video footage from its cameras. Depending on distance and lighting, this data might consist of people’s faces and voices and even readable medical or educational records images (since video footage is collected from locations including hospitals and schools). Verkada’s system also includes a “People Analytics” feature that allows customers to view high-resolution images of all consumers whose likenesses have either been recorded by their security cameras or uploaded by the customer to Verkada’s Command platform and then filter the pictures by gender or clothing color, and search images through facial recognition or face matching technology.5
Verkada’s claims, according to the FTC
They collect and keep a lot of information. The companies they collect that data from (and hold it for) realize the importance of keeping that information secure. Verkada has a long history of trying to assuage those concerns — that’s just good business sense.
The FTC’s complaint goes into a bit of depth regarding specific claims made by Verkada.6 These are important because the FTC does not actually have a statutory mandate to regulate things like cybersecurity. It does so by looking at commercial representations made by companies and treating them as unfair and deceptive acts and practices.7
The Reality
Verkada’s security practices appear to have been grossly insufficient.8 The FTC alleges that, despite its representations regarding how highly it valued data security, Verkada’s poor data security posture caused it to suffer data breaches in December 2020 and March 2021.9 Bad actors installed Mirai on Verkada’s Amazon infrastructure and used it in DDoS attacks for at least two weeks (when it was discovered by Amazon, not by Verkada) in one instance10. In the other instance, a different bad actor was able to compromise a server to gain privileged access to thousands of cameras, download several gigabytes of data containing customers’ and consumers’ information, perform searches using the “People Analytics” feature, and execute remote shell commands to security cameras.11
The FTC Steps In
According to Verkada, the FTC’s investigation was centered on the second system compromise, and it was during this investigation that the scope expanded to include the CAN-SPAM Act and fraudulent review allegations.12 As a result of the investigation, the FTC entered into an agreement with Verkada that requires it to make many changes to its data protection posture for the next 20 years, including implementing a comprehensive information security program (with outside assessments and board-level reporting), encryption of information, and multi-factor authentication (MFA) to access information.13
What does it mean?
There are a few takeaways from the data protection parts of the agreement:
- Regulators take marketing materials seriously. When Verkada said things like “‘[f]rom Day 1, we’ve made technology decisions that strengthen security and…Verkada uses commercially reasonable efforts to deploy and uphold [] security best practices and standards….'”14 on its Trust site between 2018 and 2021, the FTC did not consider those things to be mere “Marketing fluff” (or, “puffery” in legal jargon) that “everyone says” and “essentially means nothing.” Ensure that someone is paying attention to what is being said and how it aligns with what the company is doing.
- The FTC is becoming more specific and prescriptive in its security requirements. This prompted FTC Commissioner Melissa Holyoak to release a concurring statement where she expressed concerns over this point given the duration of the judgment:
- “Over the past few years, however, the data security programs in the Commission’s settlements have become ever more prescriptive, mandating particular controls, such as multifactor authentication. At first blush, prescribing particular security controls for a company that has allegedly failed to safeguard consumers’ data appears prudent. But these are not requirements of short duration; over the twenty years during which the data security program is required, such specific prescriptions may become dated as technology and threats evolve.
- “Mandating rigid controls that do not scale with size, sensitivity, or evolving threats will undercut the Commission’s goal of reasonable data security while burdening businesses in a manner that is likely to raise costs for consumers. And requiring such controls for twenty years may be disproportionate to the misconduct alleged in many data security orders—and far more likely to raise transaction costs between firms and consumers (and to spawn a cottage industry of FTC order assessors) than to facilitate efficient investments in data security.”15
- If your company doesn’t use MFA to secure its data, it needs to start. The issue here isn’t even what you believe the efficacy of MFA to be, but what the FTC believes it to be. From this agreement, we see that the FTC really believes in it. If your company doesn’t want to use MFA, then consider what the consent agreement sets as the standard for not using MFA:
- “Defendant may use equivalent, widely-adopted industry authentication options that are not multi-factor, if the person responsible for the Information Security Program under sub-Provision II.C: (1) approves in writing the use of such equivalent authentication options; and (2) documents a written explanation of how the authentication options are widely adopted and at least equivalent to the security provided by multi-factor authentication.”16
Footnotes
- FTC Takes Action Against Security Camera Firm Verkada over Charges it Failed to Secure Videos, Other Personal Data and Violated CAN-SPAM Act, Federal Trade Commission (2024), https://www.ftc.gov/news-events/news/press-releases/2024/08/ftc-takes-action-against-security-camera-firm-verkada-over-charges-it-failed-secure-videos-other (last visited Sep 3, 2024). ↩︎
- Complaint, U.S. v. Verkada, No. 3:24-cv-06153 (N.D. Cal. Aug. 30, 2024), ECF No. 1, at 2. ↩︎
- Id., at ¶ 17. ↩︎
- The Future of Physical Security for the Enterprise: About Verkada, https://www.verkada.com/about/ (last visited Sep 3, 2024). ↩︎
- Complaint, at ¶¶ 18-19. ↩︎
- Id., at 11-13. ↩︎
- Id., at ¶¶ 84, 87, 90, 93, 96, 99. ↩︎
- It’s worth noting that all we have to go on here is the information in the FTC’s complaint. This case has already been settled, and while Verkada is not admitting wrongdoing, it is also not disputing the FTC’s interpretation of events in the case. Stipulation and Proposed Order, U.S. v. Verkada, No. 3:24-cv-06153 (N.D. Cal. Aug. 30, 2024), ECF No. 4, at ¶ 4. But see, Verkada, FTC Settlement: Explained, (Aug. 30, 2024), https://www.verkada.com/blog/ftc-settlement-explained/ (last visited Sep 4, 2024) (“We do not agree with the FTC’s allegations, but we have accepted the terms of this settlement so that we can move forward with our mission…”). ↩︎
- Complaint, at 6-9. ↩︎
- Id., at ¶ 22. ↩︎
- Id., at ¶¶ 25-29. ↩︎
- Verkada, FTC Settlement: Explained, (Aug. 30, 2024), https://www.verkada.com/blog/ftc-settlement-explained/ (last visited Sep 4, 2024). ↩︎
- Stipulated Order for Permanent Injunction, Civil Penalty Judgment, and Other Equitable Relief, U.S. v. Verkada, No. 3:24-cv-06153 (N.D. Cal. Aug. 30, 2024), ECF No. 6, at 6-14. ↩︎
- Complaint, at ¶ 39. ↩︎
- Melissa Molyoak, Concurring Statement of Commissioner Melissa Holyoak Regarding Verkada, Inc., (2024), https://www.ftc.gov/system/files/ftc_gov/pdf/comm-holyoak-statement-re-verkada.pdf (last visited Sep 3, 2024). ↩︎
- Stipulated Order, at 8. ↩︎
- Introducing: Arcana - 22 November 2024
- Help me see if there is a need for that I can fill - 23 September 2024
- Verkada: Data Protection Issues - 19 September 2024