Security firm Verkada, Inc. (Verkada) ‘s massive failure to perform even a basic security risk assessment resulted in a $2.95 million civil penalty. The Justice Department and the Federal Trade Commission (FTC) investigated Verkada for failing to comply with the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act and engaging in unfair and deceptive practices in violation of the Federal Trade Commission Act. The settlement was announced last month.

In a complaint filed in the U.S. District Court for the Northern District of California, the United States alleged that Verkada failed to implement reasonable security measures such as appropriate access management and data protection controls and adequate encryption of customer data. According to the Justice Department and FTC, these failures exposed sensitive information — including security-camera footage of consumers visiting locations like hospitals and schools — to unauthorized access.

Verkada allegedly misled consumers about its compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the EU-U.S. Privacy Shield framework, and the Swiss-U.S. Privacy Shield framework. According to the complaint, Verkada’s security practices were not compliant with either HIPAA or either Privacy Shield framework.

FTC Vigorously Enforces Privacy Laws

The FTC’s mandate regarding health privacy overlaps with the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS). The FTC can investigate and bring actions against both HIPAA-regulated and non-HIPAA-regulated organizations for violations of the FTC Act, the FTC Breach Notification Rule, and HIPAA.

Deceptive HIPAA Claims are False Advertising

The complaint also alleged that Verkada misrepresented the extent to which it used appropriate data security safeguards and complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The government alleged that Verkada sent numerous promotional emails that failed to clearly and conspicuously notify recipients of their opportunity to opt out of such messages and failed to include a valid physical postal address, and that Verkada did not honor requests to opt out from its promotional emails within ten business days of receiving those requests, all in violation of the CAN-SPAM Act.

Verkada Ordered to Perform Security Risk Assessments

Verkada denied the allegations but agreed to the settlement to resolve the lawsuit. The settlement requires Verkada to pay the $2.95 million civil penalty and to comply with the CAN-SPAM Act, including by honoring requests to opt out of its commercial emails. It also prohibits Verkada from misrepresenting its data security practices and requires it to establish a comprehensive information security program and undergo regular third-party assessments of its data security practices. The settlement terms are outlined in a proposed order, which a federal judge must approve before it becomes effective.

The Department of Justice and FTC Protect Consumer Privacy

This lawsuit underscores the fact that the FTC and Justice Department are enforcing consumer protection and privacy laws. Organizations that handle private data must keep that data private and secure or face enforcement.

“This settlement underscores the importance of robust data security measures, especially for companies that are themselves in the security industry. Failure to protect sensitive information puts consumers at risk,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will continue to work with the FTC to hold companies accountable for such violations.”

“When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do,” said Director Samuel Levin of the FTC’s Bureau of Consumer Protection. “Companies that fail to secure and protect consumer data can expect to be held responsible.”

Security Risk Assessment is a Universal Requirement Today

Today, all organizations in every sector must pay close attention to security risk assessments. Cybercrime has skyrocketed because personally identifiable information, including protected health information (PHI) in healthcare, is valuable to criminals. HIPAA requires a risk analysis at least once a year and risk management year-round. However, all organizations handling personal information should analyze their data security risks and employ preventive cybersecurity measures to prevent privacy breaches. Failing to do so is too costly.