Consumer Awareness In the Wake of the Verkada Breach

It’s too early to predict the extent of backlash and damage to come out of the recent cyber breach of surveillance provider, Verkada. Safe to say the more than 24,000 organizations appearing on the company’s client list are squirming. From Tesla to lesser recognizable corporate names, public school systems, banks, gyms, county jails, health clinics, and daycares, all are watching to see how the implications play out for them. To what extent was each one compromised? What will it cost in dollars and down-time for them to re-establish new security protocols? Will the businesses affected face customer lawsuits? Can consumer trust be regained? Stories detailing lack of client confidence are already appearing.

The Verkada breach is not a technical issue.

Meanwhile, lawyers and public relations gurus are fast at work painting the incident as a technical glitch that can be easily patched and the leakage staunched. Or at the worst, a company oversight, no doubt already fully resolved. Yet for those who have charted Verkada closely, an October 2020 news story still has much to say about access to sensitive information by Verkada personnel down the tier of authority. Far removed from high-security clearance, salespeople were regularly viewing and abusing private, customer video footage. That incident is being buried deeper by the day in Google searches as new coverage on the recent breach mounts. Therefore, we provide you with a reminder from Business Insider, reporting on it in an article entitled, “Male employees at a $1.6 billion security-camera startup were accused of taking photos of female employees and sharing them in a private Slack channel.” https://www.businessinsider.com/verkada-security-cameras-ipvm-investigation-2020-10 Don’t let that seemingly sterile title fool you. Much more was going on, as The Verge reported. “Last year, the sales director accessed these cameras [the Verkada office cameras] to take photos of female workers, then posted them in a Slack channel called #RawVerkadawgz alongside sexually explicit jokes. “Employees told IPVM that a group of men in leadership positions on the sales team, many of whom grew up in Danville and played football together in high school, contributed to a culture of sexism. “After the Slack incident was reported to HR, Verkada CEO Filip Kaliszan gave employees in the Slack channel a choice: leave the company or have their stock options reduced. All of them chose to stay and take the stock option cut, according to Vice. “I was shocked. To me that’s not just a fireable offense, that’s a career-ending offense,” one employee told IPVM.” “Surveillance company harassed female employees using its own facial recognition technology,” by Zoe Schiffer, The Verge https://www.theverge.com/2020/10/26/21535089/surveillance-company-verkada-harassed-female-employees Will tenacious reporters remember that occurrence, or dig up the accounts of ongoing sexual misconduct and invasion of privacy at Verkada a half year before the major breach? A breach that exposed the same level of widespread employee access to live feeds from customers’ private surveillance cameras? Will articles appear noting the climate of culture, the sexism at Verkada that seems to have persisted though it was publicly exposed several months ago? When a surveillance company, of all groups, does nothing more than pay lip service to securing your privacy, who can you trust? “Customer data is a focus area all its own. From consumer behavior to predictive analytics, companies regularly capture, store, and analyze large amounts of quantitative and qualitative data on their consumer base every day. Some companies have built an entire business model around consumer data, whether they're companies selling personal information to a third party or creating targeted ads. Customer data is big business.”~Max Freedman, Business News Daily https://www.businessnewsdaily.com/10625-businesses-collecting-data.html

Every day we fork over more of our precious privacy, spending as if the account was limitless.

Our lives are written and exposed in minute detail each time we add a personal post to Facebook or any of the other many social media outlets. Privacy is the price we pay for the opportunity to be on stage, in the public eye. We freely supply our birthdate, location, education, work history, relationship status, religious affiliation, and even phone number and email address if we so choose, on social media platforms. Is it temporary amnesia that causes the lapse, forgetting that if it’s an entry of your private data, then it just went on the web--the world wide web? When our keyboard strokes appear on the monitor and we hit “Enter,” it’s like writing in permanent ink, and there is no eraser. Yet we think nothing of it until our level of public exposure--as in the case of the Verkada breach--poses a financial or scandalous threat. “People are wanting me to play games on [unnamed social media site], that ask my mother’s maiden name, my first pet’s name, my city of birth. Don’t those folks realize that the questions they are answering to play are the same security questions asked when you set up an important personal account?” ~Avid social media user who asked to remain anonymous The proliferation of personal data on social media is profound in that nothing more than a name can lead to finding someone’s Facebook page. Locate a total stranger by name and state, if not their name alone. “The ways in which data is used and collected now are more expansive than ever before. Data has taken on a new value for corporations and, as a result, almost any interaction with a large corporation, no matter how passive, results in the collection of consumer data. This is partially because more data leads to improved online tracking, behavioral profiling, and data-driven targeted marketing. “The surplus of valuable data, combined with minimal regulation, increases the chance that sensitive information will be misused or mishandled.” by Ben Lutkevich https://searchdatamanagement.techtarget.com/definition/consumer-privacy

There ought to be a law.

Unfortunately, there isn’t a unified data privacy framework in place in the U.S. There are, however, some federal laws that relate to consumer and data privacy.

• The Privacy Act of 1974 - which governed the collection and use of information about individuals in federal agencies' systems. The Privacy Act prohibits the disclosure of an individual's records without their written consent unless the information is shared under one of 12 statutory exceptions.
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) - which outlines how Protected Health Information (PHI) used in the healthcare industry should be protected.
• The Fair Credit Reporting Act (FCRA) of 1970 - which protects consumer information as it pertains to their credit report, which provides insight into an individual's financial status.
• The Children's Online Privacy Protection Act (COPPA) of 1998 - which ensures that children under the age of 13 do not share personal information online without the consent of their parents.
• The Financial Modernization Act of 1999 - which governs how companies that provide financial products and services collect and distribute client information, as well as prevents companies from accessing sensitive information under false pretenses. When defining client confidentiality, this act makes distinctions between a customer and a consumer. A customer must always be notified of privacy practices, whereas a consumer must only be notified under certain conditions.
• Family Educational Rights and Privacy Act (FERPA) of 1974 - which protects the privacy of student education records and applies to all schools that receive funding from the U.S. Department of Education.

Many of these laws are considered out-of-date and lacking in scope. At the state level, recent privacy laws are more reflective of current data exchange practices. The California Consumer Privacy Act (CCPA) that took effect January 1st, 2020, introduced a new set of rights not formerly included in federal laws. Those expansions entitle consumers to:

• Know what personal data about them is being collected.
• Know if their personal data is being sold and to whom.
• Say no to the sale of personal information.
• Access their collected personal data.
• Delete data being kept about them.
• Not be penalized or charged for exercising their rights under the CCPA.
• Children require parental consent for data collection, and consumers 13-16 years old are required to provide affirmative consent--opt-in--to the collection of their data.

The law applies to corporations that either make $25 million per year or collect data on more than 50,000 people. Companies that do not comply face sizable penalties and fines. ~Ben Lutkevich https://searchdatamanagement.techtarget.com/definition/consumer-privacy An article from truyo, entitled, “How to Collect Consumer Data (The Right Way),” offers clear direction for any businesses involved in collecting customer data for financial gain: “Another helpful support to have when you collect customer data is to develop a consumer information privacy policy. This policy will spell out all your methods for collecting electronic customer data so that there are no misunderstandings down the road. Make this policy easily accessible on your website and social media sites. “Your policy should outline what types of data you collect and how you’ll use it. Your privacy policy should also specify who you will share their data with (if any third party at all.) Be sure your policy also allows customers to elect not to receive future marketing materials from you.” https://insights.truyo.com/how-to-collect-customer-data

Forfeiting your rights may be as simple as clicking on the “I Accept” button at the bottom.

How your data is handled, who, or what entity controls it, is typically within that fine print in the “Terms of Agreement” policy that none of us can bear to read. Who hasn’t scrolled to the end of the epic form and clicked on the I Accept button with lightning speed? We’re too anxious to get on with the process, take our new toy for a spin, rather than waste time reading mumbo-jumbo legalese. Nonetheless, that mass of fine print amounts to a contractual agreement between you and the provider. Your response shouldn’t be automatic acceptance when weighing relinquishing your sought-after personal data versus the price of your privacy, and worse, your security, being threatened. Proactive consumerism is your single best defense over control of your data. Before letting price be your only guide when choosing a supplier for a purchase as important as a security system, do your homework. Read the fine print first no matter how tedious. It may contain all the answers you need about the ultimate controller of your video footage and personal data. Beyond the agreement policy, investigate the company’s website. What do they say about protecting you and your system from intrusion? Anything? Do they mention password encryption? Multi-layered protection? How do they go about not only securing your property but also keeping access to your private information secured? It doesn’t take wading through an entire website to discover if customer privacy and protection are key elements in a surveillance company’s approach. If customers’ rights are designed into security systems, the evidence will be throughout. Your reading assignment is almost complete. One last place to search for clues as to whether you’re going to be treated like a fellow human being rather than a gold mine of personal data, and that’s the Reviews and Ratings. At SCW we prize our reviews. After all, we earned each one of the more than 4,000 Five-Star reviews in our vault. What better way of looking at your potential supplier than through the eyes of experienced customers? No need to listen to any company’s claims of integrity and professional standards when reviewers can either affirm or deny them.

We at SCW see ourselves as the only mission and values-over-profits company in the surveillance industry.

Extra credit: Round out your homework assignment by seeing how a company views itself. Mission statements may be cookie-cutter and stale but occasionally you’ll find a gem reflective of your values. That’s the type of company worthy of your business--mindful of being more than profit-driven. Customer exploitation, at the heart of the Verkada breach, should not have to be a side effect of doing business. No mission statement is going to hint at that possibility, but we do what we can to avoid such entanglements, wherever clues can be found. The same is true of a company’s goals when they’re mentioned in print. Those stated goals may offer additional evidence to their business practices and philosophy. “We plan to crush the competition and dominate the surveillance market by 2029,” is hardly a goal that leaves you feeling individually valued and protected. SCW has kept it simple yet memorable for its employees: Love the customer; Love the team; Conduct business ethically and professionally so that we will remain in business 200 years from now. Furthermore, we at SCW see ourselves as the only mission and values-over-profits company in the surveillance industry. Simply doing the right thing takes on greater relevance than dollar signs.

How much longer customers will be treated like commodities remains a giant question mark.

Public outcry over instances like the Vekada breach will hopefully lead to new legislation modeled after the sweeping state law, The California Consumer Privacy Act (CCPA). “We’re mad as hell, and we aren’t going to take it anymore,” seems to sum up the message lawmakers will continue to face as more people band to fight wholesale corporate intrusion into their lives. Consumers will continue to demand safeguarding and more so when public exposure at the level of Verkada’s network continues to hit the news channels. Spying on customers can no longer be tolerated as an accepted business practice.