A recent hack into a massive collection of security camera data from Verkada Inc. shows the cyber and privacy-related vulnerabilities of digital devices that could give way to lawsuits and government enforcement actions.
Advocacy groups like the American Civil Liberties Union have raised privacy and security concerns over the proliferation of digital surveillance devices, from
The Verkada hack could bring attention from the Federal Trade Commission and state attorneys general who enforce laws protecting against unfair and deceptive business practices. The company also could be found liable under state-level data breach laws that require security controls to be in place.
Wiretapping laws could come into play, too, if there are audio recordings implicated in the hack. So could health privacy laws, for hacked video footage from hospitals or clinics.
“There’s a lot of different angles for Verkada finding itself in legal trouble,” said John Davisson, senior counsel at the nonprofit Electronic Privacy Information Center. “This incident is a reminder of the privacy risks of not only security cameras but of network devices generally,” Davisson added.
Verkada said it has notified law enforcement and disabled all internal administrator accounts to prevent unauthorized access.
“We have verified that our system is secure and have already restricted administrator access as we conduct a review of our policies and permissions,” a Verkada spokesperson said in a statement.
The company and its security customers could be subject to invasion of privacy claims from people recorded by the cameras, especially for footage showing prisoners, hospital patients, or other potentially sensitive scenarios.
The outcome of such a lawsuit would likely hinge on whether individuals could be identified in the footage, which could be a challenge, according to Daniel Pepper, a partner at Baker & Hostetler LLP who focuses on data privacy and cybersecurity law.
“That’s going to be tough,” Pepper said. Such claims depend on whether someone could show that they were in a certain place during the time covered by camera footage.
It could be a challenging consumer privacy case to make unless the camera was hidden or placed in a location where privacy is normally expected, like a bathroom or locker room.
Some of the cameras at issue in the Verkada hack reportedly use facial recognition technology to identify and categorize people captured on the footage, a capability described on the company’s website. That added capability for video analytics makes the surveillance an even more powerful tool, not only for those who install the cameras but for those who hack into them, Jay Stanley, senior policy analyst with the ACLU’s Speech, Privacy, and Technology Project said.
“Those capabilities are becoming increasingly common,” he said, adding that it’s “likely to supercharge video surveillance of the future.”
Though Verkada was the company that suffered the breach, its customers may also find themselves in hot water, said Reena Bajowala, a partner at Ice Miller LLP who focuses on data security, privacy, and information technology matters.
“Liability is going to flow to the client that procured the video surveillance,” Bajowala said. “Those who appear in the videos might sue Verkada, but ultimately it’s the Verkada client that put the video surveillance in that would be responsible if there is any liability.”
The client could then claim damages against Verkada under their contract, Bajowala said.
Consumers may also sue under the California Consumer Privacy Act, which provides a narrow private right of action for individuals whose personal information is compromised in a breach stemming from poor security standards, Bajowala said.
But the viability of those claims will depend on whether Verkada qualifies as a business under the statute—it must meet certain revenue or consumer thresholds—and what types of data were compromised in the hack.
A California law which took effect last year, SB327, could also come into play, said Melissa Krasnow, a partner at VLP Law Group LLP in Minneapolis. It requires manufacturers of connected devices to equip them with “reasonable” security features that are designed to protect the device and collected information from unauthorized access.
That law is enforceable by the California attorney general and city, county, and district attorneys.
The Verkada hack targeted a server used for bulk maintenance operations on customer cameras by obtaining credentials that allowed hackers to bypass the company’s authorization system, according to a company statement issued following a Bloomberg News report.
Those credentials seemed to be the only protection between video content and the hackers, according to Brad Ree, chief technology officer for the ioXt Alliance, an industry-led security certification program for connected devices.
“What has me concerned here for sure is this really doesn’t feel like a reasonable level of security for the risk,” Ree said. He said part of the issue could be that Verkada’s security standards may not have kept pace with the Silicon Valley startup’s expansion to providing cameras for more than 4,200 organizations.
“It shows that lack of maturity and the danger of scale,” Ree said.
Despite the rise of connected devices, the so-called internet of things largely isn’t subject to cybersecurity mandates in the U.S. Still, a new law signed in December that sets cybersecurity standards for IoT devices that federal agencies buy, the Internet of Things Cybersecurity Improvement Act, could have an impact on the industry due to the government’s purchasing power.
The Verkada hack could prompt buyers of such devices to take a closer look at security protocols in place. It also could spur legislative efforts to pass greater privacy and security standards related to the devices.
“IoT devices are in the nascence of regulation,” Krasnow said. “A high-profile breach like this could galvanize lawmakers to pass laws at the state and federal level.”