As we wrote about last week, the Federal Trade Commission (FTC) recently announced that it had entered a proposed settlement with video equipment surveillance company Verkada over the company’s alleged security failures. What’s interesting about the Verkada settlement is that it’s really a data security case with some additional marketing violations thrown in. And not insignificant ones at that – at least from a money perspective – considering that the company settled for $2.95 million in civil penalties for the alleged email marketing violations alone. To read more about the marketing aspect of the case, which touches on commercial email and online reviews, you’ll want to head over to our ADventures in Law blog, where we recently wrote about these issues, including the overall breadth of FTC investigations these days. What we’re talking about in this post, however, are the data security issues at the heart of the proposed complaint and some key takeaways.
According to the proposed complaint allegations, what appears to have caught the FTC’s attention were specific security incidents dating back to 2020 and 2021. The complaint alleged that in one incident a threat actor leveraged a vulnerability in Verkada’s customer support server that provided “super admin” privileges that granted the threat actor access to 150,000 live customer cameras. In an earlier incident, the complaint alleged that a hacker exploited a security flaw in the company’s legacy firmware build server and installed the Mirai malware to launch denial-of-service attacks.
After alleging that the company failed to employ reasonable security measures, the FTC announced a proposed order that requires the company to implement a security program for 20 years, subject to biennial reviews by a third-party assessor. While the technical details of the proposed order are worth a read, at a high level, the proposed order requires the following measures: implementing data access controls, network logging and monitoring for anomalous activity, vulnerability and patch management, conducting data inventories, performing risk assessments, and annual employee training. In addition, for the next 20 years, Verkada will have to report any cybersecurity incidents to the FTC within 10 days of reporting the incident to another state or federal agency. Although these specific measures are not all that different from recent FTC orders addressing data security, this case offers a few good reminders.
Assess Your Assessments: The FTC’s complaint alleged that the company failed to address security gaps identified by a third-party assessment. Of course, no company is breach-proof, so the question often is what the appropriate standard is to apply in assessing a company’s security posture in the wake of a breach and what satisfies that standard. Certainly perfect security isn’t the standard, but reasonableness is. In this case, the FTC alleged the company did not implement basic security measures on its products, such as demanding the use of complex passwords, encrypting customer data at rest and implementing secure network controls. That this case included allegations that cameras were placed in highly sensitive locations such as psychiatric hospitals, women’s health clinics and detention facilities almost certainly played a role in the FTC’s analysis of what constitutes reasonable security when compared to the level of risk and sensitivity of data at issue. This case serves as a good reminder to take a fresh look at any risk assessments to ensure that any gaps identified have been addressed.
The FTC Might Not Just Be Talking About Security: In our companion blog, we observed that FTC investigations are consistently becoming multipronged. But it bears repeating here. Just because you find yourself talking to the FTC about one issue (such as data security) doesn’t necessarily mean that is the only issue that is – or eventually will be – on the FTC’s radar. The agency could very well expand its investigation to include other practices of the company. And that risk becomes even more acute if there are particular rule or statutory violations – like those related to CAN-SPAM – that would give the FTC a clear path to obtaining money in the form of civil penalties. (For a refresher on how the 2021 Supreme Court case AMG considerably narrowed the FTC’s ability to obtain monetary relief, check out this post on ADventures in Law.)
Mind Your Privacy and Security Representations: Speaking of scope, if your company does experience a breach that catches the FTC’s attention, it is almost a sure bet that the FTC will find some set of representations to challenge as misleading. In the Verkada case, the FTC challenged as deceptive the company’s representations regarding data security, privacy and compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the EU-U.S. and Swiss-U.S. Privacy Shield frameworks. The bottom line here is that even seemingly innocuous marketing speak or statements that are routinely found in privacy policies or other notices are likely to get extra scrutiny if you experience a breach. Companies should take particular care regarding statements that the company has been “certified” to meet a particular standard. And the more specific a company’s claims about security are – like having end-to-end encryption – the more support you’re going to need and the higher risk that a regulator will find those claims wanting.
A Final Word About Final Orders: If you do find yourself entering a consent order with the FTC or another regulator following a data security incident, consider whether the agreed terms allow enough flexibility to be adjusted consistent with technological advances. Particularly when we often see consent orders running as long as 20 years, what may be considered state of the art today almost certainly will not be in five, 10 or 15 years. This is a point made by Commissioner Melissa Holyoak in a separate concurring statement on the settlement. She raised concern about the FTC entering orders that have become increasingly prescriptive over the years. In this case, she commended the use of an “escape valve” in the proposed order: With respect to implementing multi-factor authentication (MFA), the proposed order explicitly allows for methods other than MFA if such methods have been widely adopted in the industry and the designated security official attests to the rationale for employing those alternatives.
[View source.]
