The FTC’s recent enforcement action against a B2B company is a cautionary tale about ‎common, easy-to-avoid privacy, security, and marketing missteps; and a reminder that fines ‎aren’t the only consequences to fear in an enforcement action.‎

In addition to paying a $3M fine, for the next 20 years the FTC will require Verkada, Inc. to implement a comprehensive information security program, submit to third-party information security assessments, and comply with other robust administrative requirements to settle allegations that the company’s privacy, security, and marketing practices violated the law. To implement these obligations will require significant resources and investments. In the complaint filed by the Department of Justice at the FTC’s request, Verkada is alleged to have engaged in many unfair or deceptive business practices. Here are the top five, many of which are all too common:

Failing to Adequately Protect Data. The complaint alleges that Verkada failed to provide reasonable and appropriate security measures to protect the personal information it collected and maintained, and that allowed a hacker to gain access to information from more than 150,000 live security cameras—including some in sensitive locations, such as psychiatric hospitals, women’s health clinics, children’s bedrooms, and prison cells. According to the complaint, reasonable and appropriate measures should have included:

• Access management basics, such as the use of unique and complex passwords, role-based access controls, and multi-factor authentication
• Login monitoring to flag suspicious activities, such as unsuccessful logins to administrative accounts, and the addition or removal of any account with administrative privileges
• Regular risk assessments, vulnerability scans, and penetration testing
• Testing, auditing, and review of the effectiveness of security measures and services
• Use of encryption at rest and in transit, as well as network controls, such as properly configured firewalls
• Development of adequate written information security standards, policies, procedures, and practices; and adequate training of employees on same

Making Misleading Statements about Data Protection Investments and Commitment. Verkada is alleged to have misrepresented its security practices in numerous ways. ‎First, their privacy policy claimed: “[W]e take customer privacy seriously” and “use best-in-class data security tools and best practices to keep your data safe.” Second, the company’s website purportedly contained misleading statements such as, “[f]rom Day 1, we’ve made technology decisions that strengthen security and … Verkada uses commercially reasonable efforts to deploy and uphold [] security best practices and standards….” Finally, in blog posts, press releases, and interviews, Verkada assured customers of the quality of its security practices and commitment to data protection. The complaint specifically references the following quote from Verkada’s CEO: “We built a system that’s end-to-end secure. That’s a huge problem with today’s systems. Verkada is secure out of the box.”

Misrepresenting Privacy and Security Compliance. When Verkada marketed, promoted, advertised, and sold its products and services, the FTC claims the company frequently misrepresented it was (1) HIPAA-certified or compliant and (2) that it adhered to the EU-U.S. and Swiss-U.S. Privacy Shield principles.

Sending Incessant Marketing Emails That Lacked Compliance Elements and Ignoring Customer Complaints. Verkada is alleged to have sent over 30 million promotional emails without an effective unsubscribe mechanism, and without including a valid, physical postal address in the body of the message. Email recipients repeatedly notified Verkada they didn’t want the emails, and they were unable to unsubscribe, despite multiple attempts.

Posting Fake Reviews. Verkada employees and an investor purportedly violated FTC rules by posting positive online ratings and reviews without disclosing their relationship to the company or employee status, an activity which was at times encouraged. The complaint alleged that in June 2023, 35% of Google Maps ratings and reviews for Verkada were attributable to this practice, which FTC deems unlawful business.

What are some better practices?

• Implement adequate security measures that take into account the types of information you process. Such measures should include technical, physical, and organizational controls designed to prevent unauthorized access to, use of, loss of, or alterations to information you process about consumers and businesses.
• Take stock of your data. Take inventory of the categories of personal information your company collects to ensure the information is processed lawfully. That may include analyzing many issues, such as whether personal information is being used for the purpose it was collected? Is it secured adequately, and what is the potential harm if it were disclosed improperly? How do data retention and deletion processes align with requirements and business needs?
• Know Your Requirements. Ensure you understand your privacy and security obligations by identifying the laws and regulations that apply to your business, and revisit your assessments regularly, because data protection laws are proliferating.
• Enact policies and procedures that support your compliance needs. These could include conducting routine risk assessments and security testing, holding regular training for employees, and adopting written data practices and standards. It is common practice now to have a team and policy in place to respond to data privacy requests.
• Be aware of marketing pitfalls. CAN-SPAM was not on our 2024 Privacy Enforcement Bingo Card! While CAN-SPAM regulate many aspects of marketing, this enforcement action also serves as a great reminder of the many local, state, federal, and international laws that govern promotional communications (including texts and phone calls), digital advertising campaigns, and other common activities aimed to create brand awareness, generate leads, and increase demand.
• Communicate Marketing Guardrails. If innovative marketing campaigns are key to your success, consider developing a marketing playbook or policy. This internal document is intended to clearly describe a company’s compliance obligations, outline prohibited activities, and establish processes and procedures to ensure the company is responsive to new rules, complaints, opt-out requests, customer concerns, and more. To provide a place to start, the FTC recently issued a final rule that addresses reviews and testimonials, and the FTC endorsement guides outline disclosure requirements in advertising.
• Have a Top-Notch Privacy Statement. Transparency can be an excellent risk mitigation strategy. Plus, companies often find that updating their privacy statement can expose significant risks. Those benefits are lost if the privacy statement contains privacy platitudes similar to those highlighted in the Verkada complaint. Many companies make a point to update their privacy statement at least annually to ensure that they are up to date.

The case is available here.

This article summarizes aspects of the law and does not constitute legal advice. For legal advice regarding your situation, you should contact an attorney.