Security camera company required to pay $3 million to FTC for CAN-SPAM act violations

US based security company failed to implement security measures

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The Federal Trade Commission (FTC) hassubmitted an orderrequiring security camera company Verkada to pay $2.9 million after the FTC found it to have violated the CAN-SPAM act after sending customers marketing emails without offering the option to unsubscribe. The company reportedly sent 30 million emails over the span of three years.

The FTC also said that the company failed to protect consumers’ personal information. Verkada claimed to use ‘best-in-class data security tools’ and practices to keep customer data safe from unauthorized access. However, customers were apparently left vulnerable after a hacker gained access to live feeds from internet connected cameras in psychiatric hospitals and women’s health clinics.

Verkada was targeted by at least two security breaches between 2020 and 2022 which allowed threat actors to access sensitive data.

Poor Practice

Poor Practice

The FTCdetermined that Verkadadid not adequately encrypt customer data, implement secure network controls, or require complex passwords - which meant customer information like emails, passwords, and full names were exposed. The company’s security practices allegedly fell short of HIPAA and Privacy Shield framework.

“When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Companies that fail to secure and protect consumer data can expect to be held responsible.”

The complaint also alleges that Verkada misled customers by failing to disclose that some positive online reviews were written by employees and investors. Alongside the fine, Verkada will be required to implement a ‘comprehensive’ information security program with external assessment and audits. The security program must include multi-factor authentication and encryption for sensitive information.

ViaCybernews

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

Mount-It Electric Standing Desk review

One more AMD eGPU docking station goes on sale — but it doesn’t have USB 4.0, can’t accommodate an M.2 SSD and requires an OCuLink connector to feed the RX 7600M XT chip

7 myths about email security everyone should stop believing