The Federal Trade Commission (FTC) will require security camera firm Verkada to develop and implement a comprehensive information security program to settle allegations the company failed to use appropriate information security practices, which allowed a hacker to access customers’ security cameras.

Under a proposed order, which must be approved by a federal judge before it can go into effect, Verkada will also be required to pay a $2.95 million monetary penalty to settle allegations the company inundated prospective customers with commercial emails in violation of the CAN-SPAM Act, the largest penalty obtained by the FTC for a CAN-SPAM violation.

A complaint alleged that Verkada failed to use appropriate information security practices to protect consumers’ personal information, which allowed a hacker to access internet-connected security cameras and view patients in psychiatric hospitals and women’s health clinics. The complaint also charged that Verkada was aware that employees and a venture capital investor posted positive ratings and reviews of Verkada and its products but failed to disclose their association or current employment status with Verkada. 

The complaint also alleged that Verkada violated the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing) by flooding prospective customers with a barrage of commercial emails and failing to include the option to unsubscribe or opt-out, honor opt-out requests, and provide a physical postal address in the emails.

As a result of these security failures, the complaint alleges, the company experienced at least two security breaches between December 2020 and March 2021. In the March 2021 breach, the hacker had access to over 150,000 live Verkada customer cameras as well as other customer information, such as physical addresses, audio recordings, and customer WiFi credentials.