$2.95M Penalty and Permanent Injunction Resolves Lawsuit Against Verkada Inc. for Alleged Unlawful Commercial Emails, Data Security Failures and Deceptive Practices

The Justice Department and the Federal Trade Commission (FTC) announced today that Verkada Inc. (Verkada), a cloud-based security company headquartered in San Mateo, California, has agreed to a settlement requiring it to pay a $2.95 million civil penalty and implement extensive data security measures. This settlement resolves allegations that Verkada violated the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act and engaged in unfair and deceptive practices in violation of the Federal Trade Commission Act.

In a complaint filed in the U.S. District Court for the Northern District of California, the United States alleges that Verkada failed to implement reasonable security measures such as appropriate access management and data protection controls and adequate encryption of customer data. These failures allegedly exposed sensitive information - including security-camera footage of consumers visiting locations like hospitals and schools - to unauthorized access. The complaint additionally alleges that Verkada misrepresented the extent to which it used appropriate data security safeguards and complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The complaint also alleges that Verkada sent numerous promotional emails that failed to clearly and conspicuously notify recipients of their opportunity to opt out of such messages and failed to include a valid physical postal address, and that Verkada did not honor requests to opt out from its promotional emails within ten business days of receiving those requests, all in violation of the CAN-SPAM Act.

To resolve the lawsuit, the parties agreed to a settlement reflected by the stipulated order issued today by the Court. The stipulated order requires Verkada to pay a $2.95 million civil penalty and to comply with the CAN-SPAM Act, including by honoring requests to opt out of its commercial emails. The stipulated order also prohibits Verkada from misrepresenting its data security practices and requires it to establish a comprehensive information security program and undergo regular third-party assessments of its data security practices.

"This settlement underscores the importance of robust data security measures, especially for companies that are themselves in the security industry. Failure to protect sensitive information puts consumers at risk," said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department's Civil Division. "We will continue to work with the FTC to hold companies accountable for such violations."

"When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do," said Director Samuel Levin of the FTC's Bureau of Consumer Protection. "Companies that fail to secure and protect consumer data can expect to be held responsible."

Trial Attorneys Cameron A. Brown and Amanda K. Kelly, Senior Trial Attorney James T. Nelson and Assistant Director Zachary A. Dietert of the Civil Division's Consumer Protection Branch and Assistant U.S. Attorney Vivian Wang for the Northern District of California are handling the case, in coordination with staff from the FTC's Division of Privacy and Identity Protection.

For more information about the Consumer Protection Branch and its enforcement efforts, visit www.justice.gov/civil/consumer-protection-branch. For more information about the FTC, visit www.FTC.gov.