We reached a settlement with the Federal Trade Commission (the “FTC”) related to their investigation of our March 2021 data security incident, and separately, some of our e-mail marketing practices between 2019-2021. There was no fine imposed related to the security incident, but we have agreed to pay $2.95 million to resolve the FTC’s claims about our past email marketing practices. We do not agree with the FTC's allegations, but we have accepted the terms of this settlement so that we can move forward with our mission and focus on protecting people and places in a privacy-sensitive way.
Security Incident (March 2021)
In March 2021 attackers compromised our platform, gaining access to security camera footage for 97 of our then 6,000 customers (more info here). In response, we immediately investigated and contained the incident. We curtailed the attacker’s access within two hours of discovery, and notified customers that same day. We then began immediate work to strengthen our safeguards (see 100 day plan here) and partnered with the best of the best to help us – including leading cybersecurity specialists from Mandiant and The Chertoff Group (led by the Former US Secretary of Homeland Security, Michael Chertoff).
We continue to prioritize strengthening Verkada’s data security posture. In 2021, we achieved SOC 2 Type 1 compliance quickly followed by SOC 2 Type 2 compliance in 2022; in 2024 we obtained certifications for ISO 27001, ISO 27017, and 27018. On top of all this, pursuant to today’s settlement, we have now also agreed to adopt the FTC’s “information security program” protocols, subject to biennial reviews by a third-party assessor.
Marketing Practices (2019-2021)
Unrelated to the March 2021 security incident, the FTC also investigated the marketing emails we sent to businesses and other organizations from 2019 to 2021. The FTC claims that we did not follow certain CAN-SPAM Act requirements (such as the requisite language in email footers and certain opt-out protocols). We disagree with their allegations, but more importantly, we overhauled our CAN-SPAM compliance starting in 2019. We have acquired tools and platforms to better facilitate CAN-SPAM compliance, made it easier to opt-out from our promotional emails by establishing a dedicated webpage where customers can control their email preferences, mandated use of a standardized email footer that always includes a physical address and a link to the webpage, and adopted more robust policies and training. We continue to prioritize these efforts.
The FTC also investigated less than 30 reviews on Verkada’s Google Maps profile that were posted by people affiliated with Verkada (such as employees) without disclosing their affiliation. We have since redoubled our efforts to ensure that employees and others understand that they are welcome to post their views about Verkada’s products and services, but they must clearly disclose their relationship to Verkada if they do.
Moving Forward
We are on an incredible journey and today’s settlement hasn’t changed that. More than 26,000 organizations across 85 countries trust Verkada as their physical security layer, and we have over 2,000 employees worldwide dedicated to supporting them and our mission to protect people and places in a privacy-sensitive way. We will continue to work every day towards this goal, and earn and keep our customers’ and partners' trust along the way. To learn more about our commitment to data security and customer privacy, please visit www.verkada.com/trust.
