The CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) Act governs emails and other messages sent by businesses, marketers, nonprofits, and other commercial entities.
Covered messages must follow rules regarding subject lines, headers and disclosures; and must provide recipients a means to request removal from the mailing list. The Federal Trade Commission (FTC) has obtained its largest penalty against a company for violating the Act, but some people might consider that the least of its failures.
Verkada is a California company that sells IP-enabled security cameras and other security products to primarily small businesses in the U.S. and abroad, including education, government, healthcare and hospitality organizations. According to its website, the company has more than 26,000 customers across 85 countries. The FTC says that odds are you’ve been captured by one of Verkada’s security cameras and don’t even know it.
Company failed to protect data about its customers
In 2018, the company’s privacy policy said it uses “best-in-class data security tools and best practices to keep your data safe and protect the Verkada Products from unauthorized access.” The FTC alleges that wasn’t the case.
In 2021, a threat actor remotely accessed Verkada’s camera feeds and watched consumers live without their knowledge. Sensitive areas that were exposed included psychiatric hospitals, women’s health clinics, elementary schools and prisons. Verkada didn’t know it had been hacked until the threat actor reported the hack to the media.
The FTC alleged Verkada also failed to protect data about its customers. The same threat actor obtained names, email addresses, physical addresses, usernames and passwords, geolocation data for security cameras, and other information. Verkada didn’t require unique and complex passwords, didn’t adequately encrypt data, and didn’t implement secure network controls. Its security practices weren’t compliant with the Health Insurance Portability and Accountability Act (HIPAA) and other regulations it’s subject to.
The CAN-SPAM Act violations involved Verkada flooding prospective customers with a barrage of commercial emails that didn’t include the option to unsubscribe or opt-out and didn’t provide a physical postal address. The FTC said Verkada failed to honor opt-out requests.
Finally, the FTC says Verkada misled consumers by failing to disclose that its own employees and an investor posted five-star reviews on its camera products.
Three steps to help companies avoid violating the law
On its website, Verkada says it disagrees with the FTC’s allegations but settled so it could “move forward with our mission and focus on protecting people and places in a privacy-sensitive way.” It describes steps it’s taken to reform its security and marketing practices.
The FTC offers this advice for other companies to avoid similar enforcement actions:
- Hold up your company’s data security practices next to the Verkada complaint allegations. While appropriate data security is very specific to your organization, it is helpful to review examples where Verkada failed to secure the information it maintained. Once you’ve reviewed your company’s data security practices, go one step further and make sure that what your company is saying about those practices is true.
- Don’t fake it until you make it . . . we can tell. You can’t mislead consumers by pretending to be a customer and leaving a glowing review of your own business’s product or service online.
- Consider a CAN-SPAM compliance check for your business. The FTC’s CAN-SPAM Act: A Compliance Guide for Business outlines helpful compliance tips.
Randy Hutchinson is president and CEO of Better Business Bureau of the Mid-South.
