Lessons from Verkada’s Data Breach and Marketing Violations and What Every Business Needs to Know
In the ever-evolving digital landscape, businesses are constantly reminded of the importance of safeguarding customer data. A recent case involving Verkada, a security camera company, has highlighted the severe consequences that can arise from neglecting both security protocols and marketing ethics. Verkada, which provides security cameras and services to thousands of businesses globally, is facing a massive settlement and a long list of requirements after the Federal Trade Commission (“FTC”) took action against the company for serious data breaches and violations of the CAN-SPAM Act.
The incident came to light in 2021 when a hacker gained unauthorized access to Verkada’s security cameras. These cameras were installed in highly sensitive locations, including psychiatric hospitals, women’s health clinics, and schools. The hacker accessed over 150,000 live camera feeds and other personal information, including physical addresses, customer Wi-Fi credentials, and audio recordings. Despite Verkada’s public claims of using “best-in-class” security tools, the breach was made possible by poor security practices, such as the failure to require complex passwords, insufficient encryption, and a lack of proper network controls.
Beyond the breach, Verkada also misled consumers about its compliance with critical data protection regulations like the Health Insurance Portability and Accountability Act (“HIPAA”) and the EU-U.S. Privacy Shield framework. This was coupled with deceptive marketing practices, including the manipulation of online reviews and ratings. The company’s employees, along with a venture capital investor, posted glowing reviews without disclosing their affiliations, misrepresenting their reviews as independent and unbiased.
As if that wasn’t enough, Verkada also violated the CAN-SPAM Act, which governs commercial email practices. Between 2018 and 2021, the company sent over 30 million unsolicited marketing emails, many of which failed to include proper unsubscribe options or physical postal addresses, and ignored recipients’ opt-out requests. For these violations, Verkada has agreed to pay a $2.95 million settlement, which represents the largest penalty the FTC has ever imposed for CAN-SPAM violations.
Verkada’s situation is a caution for any company handling sensitive data or relying on digital marketing. First and foremost, data security should never be an afterthought. Customers trust you with their personal information, and a failure to protect that data can have devastating consequences. It’s essential to implement robust security measures, including encryption, multi-factor authentication, and strong password policies. Regular audits and vulnerability assessments can help identify and address gaps before they are exploited by hackers.
Equally important is transparency. Misleading your customers about your security practices or marketing efforts can have severe legal and reputational consequences. It’s critical that your privacy policies, online reviews, and marketing claims are accurate and honest. Never exaggerate the effectiveness of your security systems or misrepresent your compliance with regulations. Similarly, if you engage in email marketing, ensure that you comply with the CAN-SPAM Act by including opt-out options and a physical address in your messages, and always honor unsubscribe requests.
The FTC’s action against Verkada also underscores the growing scrutiny on digital marketing practices. With increasing consumer awareness and regulatory pressure, businesses must be diligent about how they collect, store, and use personal data. A violation of privacy laws or marketing regulations could lead to hefty fines and legal action.
For companies that rely heavily on email marketing, it’s a good idea to conduct a CAN-SPAM compliance check. Make sure that your campaigns honor opt-out requests, avoid deceptive subject lines, and respect the privacy of your recipients. A simple review of your email practices can help you avoid becoming the next company in the spotlight for all the wrong reasons.
The case against Verkada is a reminder to businesses that data security, marketing ethics, and compliance are not areas to cut corners. By following best practices in these areas, your company can build stronger customer relationships, avoid costly penalties, and protect its reputation in the long run.
If you would like to read more about this case and others, visit our Case Studies Library.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.