The FTC Charged Company For Compromising Its Customers’ Privacy
UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA
FEDERAL TRADE COMMISSION, 600 Pennsylvania Ave., NW Washington, DC 20580, Plaintiff, v. RING LLC, a Delaware limited liability company, 12515 Cerise Ave Hawthorne, CA 90250, Defendant.
Case No. 1:23-cv-1549
COMPLAINT FOR PERMANENT INJUNCTION AND OTHER RELIEF
Plaintiff, the Federal Trade Commission (“FTC”), for its Complaint alleges:
- The FTC brings this action under Section 13(b) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 53(b), which authorizes the FTC to seek, and the Court to order, permanent injunctive relief and other relief for Defendant’s acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
Jurisdiction and Venue
-
This Court has subject matter jurisdiction pursuant to 28 U.S.C. §§ 1331, 1337(a), and 1345.
-
Venue is proper in this District under 28 U.S.C. §§ 1391(b)(1), (b)(2), (c)(1), (c)(2), and (d) and 15 U.S.C. § 53(b).
Plaintiff
- The FTC is an independent agency of the United States Government created by the FTC Act, which authorizes the FTC to commence this district court civil action by its own attorneys. 15 U.S.C. §§ 41–58. The FTC enforces Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), which prohibits unfair or deceptive acts or practices in or affecting commerce.
Defendant
- Defendant Ring LLC (“Ring”) is a Delaware corporation with its principal place of business at 12515 Cerise Ave, Hawthorne, California, 90250. Ring transacts or has transacted business in this District and throughout the United States. At all times relevant to this Complaint, acting alone or in concert with others, Ring has advertised, marketed, distributed, or sold merchandise to consumers throughout the United States.
Commerce
- At all times material to this Complaint, Defendant has maintained a substantial course of trade in or affecting commerce, as “commerce” is defined in Section 4 of the FTC Act, 15 U.S.C. § 44.
Defendant’s Business Activities
-
Ring advertises, markets, and sells Internet-connected, video-enabled security cameras, doorbells, and related accessories and services to consumers throughout the United States and in other countries.
- Since 2016, Ring has sold more than a million indoor cameras, including the “Stick Up Cam” (launched in 2016) and the “Indoor Cam” (launched in 2019). Customers routinely use Ring’s indoor cameras as baby monitors and to monitor private spaces of the home, including adults’ bedrooms, children’s bedrooms, and bathrooms.
Defendant Has Claimed That Its Products Increase Customers’ Security
-
Since its founding, Ring has consistently claimed that its products make individuals, families, and children safer and more secure in their homes.
-
For example, Ring’s website announces that its “mission” is to “Make Neighborhoods Safer,” and as a 2014 post on Ring’s blog explains, the company’s name derives from “the ‘ring’ of security we create around your home, and then in time your community.”
-
The tagline for Ring security cameras is “Smart security here, there, everywhere.”
-
Since January 2016, Ring has claimed that its Ring Stick Up Cam enhances users’ security within the home.
-
Ring has represented that its Ring Stick Up Cam lets users “[a]dd security anywhere you need it,” “[p]rotect your home,” and “[w]atch over home.”
- Since September 2019, Ring has marketed the Ring Indoor Cam as “Small in size. Big on peace of mind.”Ring encouraged customers to “[b]ring protection inside with the mini marvel….
- With the tagline “See your home. Away from home,” Ring displays pictures on the Ring website of a Ring camera monitoring children’s bedrooms.
- The claims in Paragraphs 8-11 have implied to reasonable consumers that Ring devices are a secure means to monitor the private spaces of consumers’ homes. Reasonable consumers have understood that Ring’s security claims have implied, in part, a claim of digital security, because a lack of digital security would impede the devices’ basic function: their ability to “protect [the] home,” “[b]ring protection inside,” and allow customers to “[s]ee your home...[a]way from home,” as Ring’s website promises. If, for example, a hacker could readily compromise the device’s digital security and turn off the security camera, the device would have no value as the security monitoring product that the consumer purchased. Moreover, reasonable consumers have understood that Ring’s security claims have implied, in part, a claim of digital security, because a lack of digital security creates the very risk of harm that the device was intended to minimize, such as where a hacker stalks, harasses, or threatens the consumer or her family members through a compromised device.
Defendant Ring gave every Ring employee and contractor unnecessary and unrestricted access to customers’ sensitive video data.
- Despite promising greater security as its products’ core feature, Ring ignored information security considerations when management believed they would interfere with growth. In pursuit of rapid product development, before September 2017, Ring did not limit access to customers’ video data to employees who needed the access to perform their job function (e.g., customer support, improvement of that product, etc.). To the contrary, Ring gave every employee—as well as hundreds of Ukraine-based third-party contractors—full access to every customer video, regardless of whether the employee or contractor actually needed that access to perform his or her job function.
- Not only could every Ring employee and Ukraine-based third-party contractor access every customer’s videos (all of which were stored unencrypted on Ring’s network), but they could also readily download any customer’s videos and then view, share, or disclose those videos at will. Before July 2017, Ring did not impose any technical or procedural restrictions on employees’ ability to download, save, or transfer customers’ videos.
- Ring also did not train employees to handle customers’ sensitive video data with care, even though all employees and third-party contractors had this broad access and some were tasked with reviewing customers’ video data for various purposes, including customer support, product improvement, and research and development. Ring distributed an employee handbook that prohibited misuse of Ring data and required employees to sign a Proprietary Information and Inventions Agreement that prohibited data misuse. However, despite the fact that Ring was collecting mass quantities of highly sensitive data, Ring did not conduct any training on privacy or data security before May 2018—or otherwise advise employees or third-party contractors that customers’ video data was sensitive and should be treated as such.
- This approach to access meant that Ring’s employees and third-party contractors had dangerous—and unnecessary—access to highly sensitive data. For example, although a customer service agent might need access to the video data of a particular customer to troubleshoot a problem, that same customer service agent had unfettered access to videos belonging to thousands of customers who never contacted customer service. Although an engineer working on Ring’s floodlight camera might need access to some video data from outdoor devices, that engineer had unrestricted access to footage of the inside of customers’ bedrooms.
- As a result of this dangerously overbroad access and lax attitude toward privacy and security, employees and third-party contractors were able to view, download, and transfer customers’ sensitive video data for their own purposes. For example, between June and August 2017, a Ring employee viewed thousands of video recordings belonging to at least 81 unique female users (including customers and Ring employees) of Ring Stick Up Cams. The employee focused his prurient searches on cameras with names indicating that they surveilled an intimate space, such as “Master Bedroom,” “Master Bathroom,” or “Spy Cam.” On hundreds of occasions during this three-month period, the employee perused female customers’ and employees’ videos, often for an hour or more each day. Undetected by Ring, the employee continued spying for months.
- Ring failed to detect this inappropriate access through any technical means. By good fortune, in August 2017, an employee discovered her co-worker’s actions and reported the misconduct to her supervisor. Initially, the supervisor discounted the report, telling the female employee that it is “normal” for an engineer to view so many accounts. Only after the supervisor noticed that the male employee was only viewing videos of “pretty girls” did the supervisor escalate the report of misconduct. Only at that point did Ring review a portion of the employee’s activity and, ultimately, terminate his employment.
- In September 2017, in response to this incident, Ring narrowed employee access to customers’ video data somewhat, so that customer service agents could only access videos with the customers’ consent. Despite this narrowing of access for customer service agents, Ring continued to allow others—including hundreds of employees and Ukraine-based third-party contractors—access to all video data, regardless of whether particular engineers actually needed to have access to that data to perform their job function.
- Granting employees such grossly overbroad and unmonitored access continued to cause harm. In January 2018, a male employee used his broad access rights to spy on a female colleague through her videos. Using her email address as a look-up mechanism, the employee identified his female co-worker’s device and watched her stored video recordings without her permission.
- After this second known instance of employee misconduct related to customers’ sensitive video data, Ring belatedly narrowed access to video data. In February 2018—when improving security practices to make Ring more appealing to potential acquirers—Ring finally started limiting the videos used for research and development to videos posted by customers to Ring’s Neighbors app, and those for which employees, contractors, and their friends and family had given their written consent for such use. Also in February 2018, as part of this belated clean-up effort, Ring changed access rights so that engineers (both employees and Ukraine-based third-party contractors) could only access customer videos if they had a business need to do so.
- Despite these changes, Ring’s culture of overly broad access to sensitive information continued to result in harm to consumers. First, in February 2018, a Ukraine-based third-party contractor created an unauthorized “tunnel” or pathway to Ring services in an attempt to access customer video data. Ring failed to detect this intrusion by any technical means. Only when an employee happened to report the misconduct did Ring remove the Ukrainian team’s ability to create such unauthorized pathways. Second, in May 2018, another employee gave information about a customer’s video recordings to the customer’s ex-husband without the customer’s consent. Third, in August 2020, a whistleblower notified Ring that between March 2018 and September 2019, a former employee had provided Ring devices to numerous individuals and then accessed their videos without their knowledge or consent. When the employee left Ring in September 2019, the whistleblower alleged that he took copies of these videos with him—without the knowledge or consent of his unsuspecting victims and without Ring noticing that anything was amiss.
- In February 2019, Ring changed its access practices so that most Ring employees or contractors could only access a customer’s private video with that customer’s consent.
- Importantly, because Ring failed to implement basic measures to monitor and detect inappropriate access before February 2019, Ring has no idea how many instances of inappropriate access to customers’ sensitive video data actually occurred. Indeed, Ring only discovered the incidents described above through the good fortune of employee reporting, despite having given employees zero security training and no responsibility to engage in such reporting. It is highly likely that numerous other incidents of spying, prurient behavior, and other inappropriate access occurred entirely undetected.
Defendant Ring did not adequately notify or obtain customers’ consent before allowing thousands of employees and contractors to watch video recordings of customers’ private spaces.
- Even when Ring employees and third-party contractors may have had a business purpose to access video recordings of customers’ private spaces on particular occasions (e.g., to train algorithms by labeling people or objects, to provide customer service for a particular account), Ring did not adequately notify customers or obtain customers’ consent for extensive human review of customers’ private video recordings.
- Before December 2017, Ring’s Terms of Service and Privacy Policy did not inform customers that Ring employees and contractors would have the right to review all video recordings for product improvement and development. In the middle of lengthy terms dense with legalese, Ring merely described the company’s right to use recordings obtained in connection with Ring’s (then called Doorbot’s) cloud service for product improvement and development. As a result of this buried half-explanation, customers had no reasonable way of knowing that hundreds of Ring employees and third-party contractors in Ukraine had unfettered access to live streams and stored videos of customers in their bedrooms, their bathrooms, their children’s nurseries, and elsewhere in and outside their homes.
- Between December 2017 and January 2018, Ring described its use of device recordings for product improvement and development in its Privacy Policy, but buried this description in dense and lengthy legalese. To obtain customers’ “consent” for this invasive review of highly sensitive data, Ring merely required customers to check a box acknowledging that they agreed to Ring’s Terms of Service and Privacy Policy.
- Only in January 2018 did Ring finally begin to take steps to obtain consumers’ consent for review of their sensitive video data for research and development purposes. At that point, Ring began limiting research and development to videos publicly posted on the Internet or for which employees, contractors, and their friends and family had given their written consent for such use on a document that clearly informed the consumer of Ring’s review of their video data.
- Ring’s paltry process for informing customers and obtaining their “consent” before January 2018 was especially harmful because, as described in Paragraphs 13-24, Ring allowed hundreds of employees and third-party contractors to access and view customers’ private spaces, rather than limiting access for product improvement and development to a few, well-trained employees whose compliance with reasonable access policies was carefully monitored.
Defendant Ring Failed to Secure Ring Devices From Credential Stuffing and Brute Force Attacks
- Before January 2020, Ring systematically failed to appreciate and control for the risk of at least two types of well-known online attacks: "credential stuffing" and "brute force." With a credential stuffing attack, the attacker finds breached login credentials (e.g., usernames and passwords) on the Internet and then uses them to try to access consumers’ accounts on other systems or services not associated with the original breach. If a consumer has reused a breached username and password when creating a Ring account, the bad actor can gain full access to the consumer’s account. Relatedly, a brute force attack involves an automated process of password guessing—for example, by cycling through breached credentials, entering well-known passwords or variations of well-known passwords—hundreds or thousands of times.
- Because these are well-known forms of attack, there are many standard security measures for preventing such attacks. For example, requiring a unique password (i.e., one not previously used before) helps prevent credential stuffing, and requiring strong, complex passwords reduces the likelihood that an attacker can use brute force to guess the credential.
- Another common method of preventing such attacks is to notify users of suspicious logins—that is, when someone logs into their account from a new device or suspicious IP address. A third method is to monitor and notify users of concurrent sessions—e.g., when two devices are simultaneously logged into the same account. A fourth method is called “rate limiting,” a process of blocking repeated attempts in rapid succession to log into (a) the same account with different passwords or (b) multiple accounts from the same IP address. And a fifth method is to compare passwords that device owners try to set against known compromised credentials to ensure no reuse of breached passwords.
- Finally, another highly effective method of protecting user accounts is multi-factor authentication, which requires the user to provide at least two different forms of authentication (such as a password plus a code texted to a mobile device). Using multiple factors provides much greater security than a single factor (i.e., a password) alone, because a compromised password, by itself, is not enough to access the account. Companies that hold sensitive consumer information frequently use multi-factor authentication to protect that data. For this reason, many of Ring’s competitors made multi-factor authentication available to their customers long before Ring finally did in May 2019.
- Indeed, after April 2018, Ring could have used a trust management system called Transaction Risk Management System or “TRMS.” Ring did not adopt TRMS.
- In 2017 and 2018, Ring experienced multiple credential stuffing attacks. In a 2019 document justifying the belated implementation of one security control (a Web Application Firewall or “WAF”), Ring employees wrote of the 2017-2018 attacks: “Unwittingly, we aid and abet those [hackers] who breached the data by not having any mitigations in place.” In this document, the author notes that Ring permitted “thousands of requests [for account access] per second” from a single IP address (i.e., a single user), rather than an appropriate “half dozen per day.” The author notes, “If we can slow the attacker down, they will definitely look elsewhere, as we’ve destroyed their economic model of cheap and fast bulk verification of stolen user account credentials.”
- Knowing this, Ring should have implemented controls to prevent a recurrence of such attacks, especially when available controls (such as requirements for strong and unique passwords) were easy to implement at low cost.
- Second, Ring received numerous reports of vulnerabilities relevant to credential stuffing and brute force attacks through Ring’s “bug bounty” program. This program rewards security researchers and white hat hackers with “bounties” (i.e., payments) in exchange for identifying security vulnerabilities. Between September 2017 and April 2019, the program received four separate bug bounty reports about Ring authentication portals being vulnerable to credential stuffing and brute force attacks, because Ring did not use effective rate limiting. Indeed, one researcher reported in April 2019 that he was able to “guess my own password [to a Ring login] after 1000 tries without getting detected.”
- Third, In December 2018 and April 2019, there were numerous media reports of credential stuffing attacks, including attacks against devices made by Ring competitor Nest. Ring was aware both of reported attacks on Nest and of how susceptible Ring was to similar attacks, based on Ring’s lack of key security features.
- Finally, Ring also received pointed warnings from its own security testing personnel. Specifically, penetration tests conducted by a third-party security firm pointed to the weakness in Ring’s password requirements for customer accounts. Rather than requiring strong, complex passwords, Ring permitted users to set very simple passwords for their accounts, such as abcd1234. Permitting users to set easily guessable passwords heightened the risk that any credential stuffing or brute force attack would succeed.
- The few security measures Ring did implement to address these risks were too little and too late. For example, Ring made two-factor authentication available to customers in May 2019 (long after this feature had been routine for other companies holding sensitive data), but did not take reasonable steps to encourage its adoption, such as through user-friendly opt-ins for existing customers and default opt-outs for new users. As a result, only a tiny fraction of customers—less than 2%—adopted this optional security feature in 2019.
- In addition, although Ring implemented some forms of rate limiting before July 2019, not all authentication portals were covered. Moreover, what rate limiting Ring did implement (to prevent multiple login attempts in rapid succession to the same account) did only half the job: Ring failed to block multiple attempts in rapid succession to log into different accounts from the same IP address. As a result of Defendant’s failures to act (or to act in full), between January 2019 and March 2020, more than 55,000 U.S. customers suffered from credential stuffing and brute force attacks that compromised Ring devices. Through these attacks, bad actors gained access to hundreds of thousands of videos of the personal spaces of consumers’ homes, including their bedrooms and their children’s bedrooms—recorded by devices that Ring sold by claiming that they would increase consumers’ security.
- Ring took some short-term steps to correct the problem beginning in July 2019, such as locking accounts, resetting passwords, disconnecting devices, and recommending good password practices and the use of two-factor authentication. Ring also implemented certain new security measures, such as a web application firewall and encrypting video data at rest (which numerous competitors had long before implemented). However, Ring did not take other, more effective measures to prevent the attacks, such as those described in Paragraphs 31-34.
- Because Ring did not take these measures, the attacks continued to succeed. For example, on December 12, 2019, prominent media outlets began publishing reports about hacked Ring devices, where hackers used access to cameras to harass and threaten children and families.
- During the course of these attacks, approximately 55,000 U.S. customers suffered serious account compromises. For at least 910 U.S. accounts (affecting approximately 1,250 devices), the bad actor not only accessed the accounts, but took additional invasive actions, such as accessing a stored video, accessing a live stream video, or viewing a customer’s profile. The bad actors disproportionately targeted indoor cameras. Even though indoor cameras are a relatively small subset of Ring’s product offerings, approximately 500 of the 1,250 compromised devices in the U.S. (i.e., approximately 40% of the compromised devices in the U.S.) were Stick Up Cams or Indoor Cams, both of which Defendant markets for indoor use.
- In many cases, these instances of unauthorized access were not short-lived invasions. In at least 20 instances, for example, the bad actors maintained unauthorized access to the accounts’ devices for more than one month.
- In many instances, the bad actors were not just passively viewing customers’ sensitive video data. Rather, the bad actors took advantage of the camera’s two-way communication functionality to harass, threaten, and insult individuals—including elderly individuals and children—whose rooms were monitored by Ring cameras, and to set off alarms and change important device settings. Examples of the harassment, slurs, and threats that consumers experienced include the following:
-
Several women lying in bed heard hackers curse at them;
-
Several children were the objects of hackers’ racist slurs;
-
A teenager was sexually propositioned;
-
An 87-year-old woman in an assisted living facility was sexually propositioned and physically threatened;
-
A hacker told an individual through her camera that the hacker had killed the individual’s mother and then directly threatened the individual: “Tonight you die”;
-
After a hacker taunted one child in the bedroom she shared with her siblings, the child developed a strong fear of her bedroom and required therapy and physical changes to her room to help her overcome her fear;
-
One hacker threatened a family with physical harm if they did not pay a ransom in Bitcoin;
-
A hacker told a woman that her location was being tracked and that her device would self-destruct at the end of his countdown; she disconnected the device before his countdown ended.
-
- Consumers whose accounts were hacked told Defendant in emailed complaints that they felt “terrified,” “extremely traumatiz[ed],” “appalled,” and “fear[ful].”
Defendant Ring’s Unreasonable Data Security and Privacy Practices
- From at least 2016 through January 2020, Ring engaged in a number of unreasonable data security and privacy practices. Among other things, Ring:
-
before September 2017, gave all employees and third-party contractors access to consumers’ sensitive video data, regardless of whether the employee or contractor needed such access to perform his or her job function;
-
before July 2017, did not impose any technical restrictions on employees’ and third-party contractors’ ability to view, download, save or transfer customers’ videos;
-
before January 2018, did not restrict engineers’ access to consumers’ sensitive video data to what the engineers needed to perform their job function;
-
before January 2018, failed to monitor employees’ and third-party contractors’ access to customers’ sensitive video data;
-
before January 2018, failed to obtain customers’ consent to review their sensitive video data for research and development and product improvement purposes;
-
before January 2018, failed to detect employees’ and third-party contractors’ unauthorized access to customers’ sensitive video data through technical means;
-
before May 2018, did not provide employees or third-party contractors with any data security training or other training on the proper handling of consumers’ sensitive video data;
-
before August 2019, did not encrypt customers’ video data at rest, despite the sensitivity of this data;
- before January 2020, failed to implement reasonable safeguards to prevent credential stuffing or brute force attacks against cameras sold for use in private spaces of the home, enabling hackers to compromise accounts.
-
Defendant Ring’s Unreasonable Data Security and Privacy Practices Harmed Consumers
- Defendant’s failures to take reasonable steps to prevent unauthorized access to the live feeds and stored videos of cameras marketed by Ring for use in intimate areas of customers’ homes has caused or is likely to cause substantial injury to consumers in the form of, among other things, direct monetary loss. First and foremost, consumers did not receive the benefit of their bargain; they believed they were purchasing reasonably private and secure devices but in fact received devices that compromised their privacy and security. In addition, consumers suffered other injuries, including time spent remedying the problem (such as filing police reports and researching and purchasing more secure devices). Moreover, the exposure of customers’ sensitive video data increases the likelihood that consumers or their property will be targeted for theft, stalking, harassment, or other criminal activity. Defendant’s failures to provide reasonable security have increased the likelihood that consumers’ personal activities and conversations or those of their family members, including young children, will be observed and recorded by strangers over the Internet, and that downloaded or screen-captured copies of these videos would be used by strangers for purposes of extortion, harassment, or public embarrassment. These risks impair consumers’ peaceful enjoyment of their homes, increase consumers’ susceptibility to physical tracking or stalking, and reduce consumers’ ability to control the dissemination of private video feeds.
- Similarly, Ring’s unreasonable review practices have caused or were likely to cause substantial injury. Enabling hundreds of employees and third-party contractors to access private videos taken in intimate areas of consumers’ homes placed consumers at risk from the exposure of their personal information. Consumers were also injured by the unwarranted invasion into the peaceful enjoyment of their homes. This surreptitious review of the private details of individual and family life—including images of visitors, children, family interactions, partially undressed individuals, and people engaged in intimate conduct—caused actual consumer harm.
- Ring’s customers had no way of independently knowing about Ring’s security and privacy failures and could not reasonably have avoided possible harms from such failures.
- Ring could have prevented or mitigated these failures through readily available and relatively low-cost measures.
VIOLATIONS OF THE FTC ACT
-
Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits “unfair or deceptive acts or practices in or affecting commerce.”
-
Misrepresentations or deceptive omissions of material fact constitute deceptive acts or practices prohibited by Section 5(a) of the FTC Act.
-
Acts or practices are unfair under Section 5 of the FTC Act if they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition. 15 U.S.C. § 45(n).
Count I
-
In numerous instances, in connection with the advertising, marketing, promotion, offering for sale, or sale of home security cameras and related devices and services, Defendant has represented, directly or indirectly, expressly or by implication, that Defendant took reasonable steps to ensure that Ring cameras are a secure means to monitor private areas of consumers’ homes.
-
In truth and in fact, in numerous instances in which Defendant has made the representations set forth in Paragraphs 8-11, Defendant did not take reasonable steps to ensure that Ring cameras are a secure means to monitor private areas of consumers’ homes.
-
Therefore, Defendant’s representations as set forth in Paragraph 56 are false or misleading and constitute deceptive acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
Count II
-
Defendant allowed thousands of employees and contractors to access video recordings of customers’ intimate spaces without customers’ knowledge or consent.
-
Defendant’s actions have caused, cause, or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.
-
Therefore, Defendant’s acts or practices as set forth in Paragraph 59 constitute unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45(a), (n).
Count III
-
In numerous instances, Defendant has failed to provide reasonable security to prevent unauthorized access to the live feeds and stored videos of its cameras, which Defendant offered to consumers for the purpose of monitoring and securing private areas of their homes.
-
Defendant’s actions have caused, cause, or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.
-
Therefore, Defendant’s acts or practices as set forth in Paragraph 62 constitute unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45(a), (n).
CONSUMER INJURY
- Consumers are suffering, have suffered, and will continue to suffer substantial injury as a result of Defendant’s violations of the FTC Act. Absent injunctive relief by this Court, Defendant is likely to continue to injure consumers and harm the public interest.
PRAYER FOR RELIEF
Wherefore, Plaintiff requests that the Court:
- Enter a permanent injunction to prevent future violations of the FTC Act by Defendant; and
- Award monetary and other relief within the Court’s power to grant.
Respectfully submitted,
Dated: 5/31/2023 |
ELISA JILLSON Attorneys for Plaintiff Federal Trade Commission |
STIPULATED ORDER FOR INJUNCTION AND MONETARY JUDGMENT
Plaintiff, the Federal Trade Commission (“Commission”), filed its Complaint for Injunction and Other Relief (“Complaint”) in this matter, pursuant to Section 13(b) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §§ 53(b). Defendant has waived service of the summons and the Complaint. Plaintiff and Defendant stipulate to the entry of this Stipulated Order for Injunction and Monetary Judgment (“Order”) to resolve all matters in dispute in this action between them without requiring the Commission to file an administrative complaint pursuant to 16 C.F.R. Part 3 and then seek monetary relief in federal court pursuant to Section 19(a)(2) of the FTC Act.
THEREFORE, IT IS ORDERED as follows:
FINDINGS
-
This Court has jurisdiction over this matter.
-
The Complaint charges that Defendant participated in deceptive and unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45, related to the privacy and security of video data collected by Defendant’s home security cameras.
-
Defendant neither admits nor denies any of the allegations in the Complaint, except as specifically stated in this Order. Only for purposes of this action, Defendant admits the facts necessary to establish jurisdiction.
-
Defendant waives any claim that it may have under the Equal Access to Justice Act, 28 U.S.C. § 2412, concerning the prosecution of this action through the date of this Order, and agrees to bear its own costs and attorney fees.
-
Defendant and Plaintiff waive all rights to appeal or otherwise challenge or contest the validity of this Order.
DEFINITIONS
For purposes of this Order, the following definitions apply:
-
"Affected Work Product" means any models or algorithms identified or reasonably identifiable by the Defendant as having been developed in whole or in part from review and annotation of Pre-March 2018 Covered Recordings.
-
"Affirmative Express Consent" means any freely given, specific, informed, and unambiguous indication of an individual’s wishes demonstrating agreement by the individual, such as by a clear affirmative action, following a Clear and Conspicuous disclosure to the individual, apart from any privacy policy, terms of service, terms and conditions, or terms of use of all information material to the provision of such consent. The following actions do not constitute Affirmative Express Consent:
- Acceptance of general or broad terms of use or similar communication;
- Hovering over, muting, pausing, or closing a given piece of content; or
- Agreement obtained through a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.
-
"Authorized User" means the primary account holder associated with a Covered Home Security Product, and any user of a Covered Home Security Product authorized to access the account associated with the Covered Home Security Product by the primary account holder.
-
"Clear(ly) and conspicuous(ly)" means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers, including in all of the following ways:
- In any communication that is solely visual or solely audible, the disclosure must be made through the same means through which the communication is presented. In any communication made through both visual and audible means, such as a television advertisement, the disclosure must be presented simultaneously in both the visual and audible portions of the communication even if the representation requiring the disclosure (“triggering representation”) is made through only one means.
- A visual disclosure, by its size, contrast, location, the length of time it appears, and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.
- An audible disclosure, including streaming video, must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it.
- In any communication using an interactive electronic medium, such as the internet or software, the disclosure must be unavoidable.
- On a product label, the disclosure must be presented on the principal display panel.
-
The disclosure must use diction and syntax understandable to ordinary consumers and must appear in each language in which the triggering representation appears.
-
The disclosure must comply with these requirements in each medium through which it is received, including all electronic devices and face-to-face communications.
-
The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication in which the disclosure is made.
-
When the representation or sales practice targets a specific audience, such as children, the elderly, or the terminally ill, “ordinary consumers” includes ordinary members of that group.
-
"Covered Home Security Camera" means any internet-enabled home security camera that Defendant designs, markets, and offers to consumers primarily for personal and residential use to record video.
-
"Covered Home Security Product" means any Covered Home Security Camera and any related service that Defendant designs, markets, and offers to consumers to collect or store Covered Home Security Recordings (such as a subscription service or mobile application).
-
"Covered Home Security Recording" means any pre-recorded or live-streaming audio, video, or photographic data collected by or on behalf of Defendant through a Covered Home Security Camera and, if such data is pre-recorded, stored by Defendant on behalf of the customer, except for audio, video, or photographic data (1) made publicly accessible on the internet, or made available to a party other than Defendant, by an Authorized User; or (2) submitted, with the Authorized User’s Affirmative Express Consent, to the Defendant for customer service, marketing, or research and development purposes.
-
"Covered Incident" means any instance: (1) that results in Defendant notifying, pursuant to a statutory or regulatory requirement, any U.S. federal, state, or local government entity that Covered Home Security Recordings of or about an individual were, or are reasonably believed to have been, accessed, acquired, or publicly exposed without authorization; or (2) in which Defendant discovers that Covered Home Security Recordings of 10 or more Ring Accounts were, or are reasonably believed to have been, accessed, acquired, or publicly exposed without authorization. “Covered Incident” does not include any instance where the Covered Home Security Recordings were encrypted and the encryption key was not also accessed or acquired by an unauthorized person.
- "Covered Information" means the following information from or about an individual consumer that Defendant collects through a Covered Home Security Product, including any website or application that Defendant designs, markets, and offers to consumers: (1) authentication credential(s) sufficient to provide access to a user's Ring Account, such as a user name and password; (2) a credit card, debit card, or financial institution accountnumber; or (3) a Covered Home Security Recording.
-
"Face Embedding" means data, such as a numeric vector, derived in whole or in part from an image of an individual’s face.
-
"Pre-March 2018 Covered Recordings" means Covered Home Security Recordings collected before March 1, 2018 and reviewed and annotated by employees or contractors for research and development purposes.
-
"Defendant" means Ring LLC (“Ring”) and its successors and assigns.
-
"Ring Account" means any account provided by or on behalf of Defendant to any Authorized User through which an Authorized User may access any Covered Home Security Recording.
-
"Ring Principal Executive Officer" means the individual serving as the Chief Executive Officer of Defendant, or such other officer (regardless of title) that is designated in Defendant’s bylaws or by resolution as having the duties of the principal executive officer of Defendant, acting solely in his or her official capacity on behalf of Defendant. In the event that such position is jointly held by two or more persons, then each of such persons shall be deemed to be a Ring Principal Executive Officer.
ORDER
I. PROHIBITION AGAINST MISREPRESENTATIONS ABOUT PRIVACY AND SECURITY
IT IS ORDERED that, for twenty years after entry of this Order, Defendant and Defendant’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the manufacturing, advertising, promotion, offering, sale, or distribution of any Covered Home Security Product, must not misrepresent in any manner, expressly or by implication:
- The extent to which, or the purposes for which, Defendant or any contractor working on Defendant’s behalf accesses, reviews, or discloses Covered Information; or
- The extent to which Defendant secures Covered Home Security Products against online attacks resulting from external actors’ misuse of valid authentication credentials of users of Covered Home Security Products.
II. MANDATED DELETION OF DATA AND AFFECTED WORK PRODUCT
IT IS FURTHER ORDERED that:
-
Defendant and Defendant’s officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with the manufacturing, advertising, promotion, offering, sale, or distribution of any Covered Home Security Product, must, unless prohibited by law:
- Within thirty (30) days of entry of this Order, delete or destroy all Pre-March 2018 Covered Recordings;
- Within ninety (90) days of entry of this Order, delete or destroy all Face Embeddings collected before March 1, 2018, including through any Pre-March 2018 Covered Recordings; and
- Within ninety (90) days of entry of this Order, delete or destroy any Affected Work Product unless such deletion is technically infeasible, in which case the Ring Principal Executive Officer must provide a written statement to the Commission within ninety (90) days of entry of this Order, sworn under penalty of perjury, identifying any such Affected Work Product, certifying that such deletion or destruction is technically infeasible, and providing a reasonable explanation for that determination. The written statement must be based on the personal knowledge of the Principal Executive Officer or subject matter experts upon whom the Principal Executive Officer reasonably relies in making the statement.
-
Defendant must, within ninety (90) days of entry of this Order, provide a written statement to the Commission, sworn under penalty of perjury, confirming the deletion or destruction of all Covered Home Security Recordings, Face Embeddings, and Affected Work Product covered by Subprovision II.A above.
III. MANDATED PRIVACY AND DATA SECURITY PROGRAM
IT IS FURTHER ORDERED that Defendant must, within one hundred and eighty (180) days of entry of this Order, establish and implement, and thereafter maintain for twenty (20) years after entry of this Order, a comprehensive privacy and data security program (the “Program”) that protects the privacy, security, confidentiality, and integrity of Covered Information. To satisfy this requirement, Defendant must, at a minimum:
-
Document in writing the relevant content, implementation, and maintenance of the Program.
-
Provide the written program and any evaluations thereof or updates thereto to a senior officer responsible for the Program at least once every twelve (12) months and, in the event of a Covered Incident, within thirty (30) days after completion of response to the Covered Incident or sixty (60) days after the Covered Incident, whichever is sooner.
-
Designate a qualified employee or employees to coordinate and be responsible for the Program.
-
Assess and document, at least once every twelve (12) months and, in the event of a Covered Incident, within thirty (30) days after completion of a response to the Covered Incident or sixty (60) days after the Covered Incident, whichever is sooner, internal and external risks to the privacy, security, confidentiality, or integrity of Covered Information that could result in: (1) unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Covered Information; or (2) misuse, loss, theft, alteration, destruction, or other compromise of such information.
- Design, implement, maintain, and document safeguards that control for the internal and external risks Defendant identifies to the privacy, security, confidentiality, or integrity of Covered Information identified in response to the assessment of risks. Each safeguard must be based on the volume and sensitivity of Covered Information at risk, and the likelihood that the risk could be realized and result in: (1) unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Covered Information; or (2) misuse, loss, theft, alteration, destruction, or other compromise of such information. Such safeguards must include:
- Not permitting any human review by Defendant’s employees or contractors of any Covered Home Security Recording, unless, prior to such review, Defendant:
- Implements a policy prohibiting such review unless it is:
- Required by law or legal process (such as a court order or search warrant);
- In connection with an investigation of suspected or actual illegal activity;
- To establish, exercise, or defend Defendant’s legal rights;
- Necessary or appropriate to prevent physical or other harm or financial loss; or
- Otherwise authorized by an Authorized User via Affirmative Express Consent.
-
Requires any employee or contractor in a role that involves accessing Covered Home Security Recordings for human review to attest that they will only access or view the Covered Home Security Recording for the specified purpose.
-
Requires that employees or contractors be trained on how to review Covered Home Security Recordings in accordance with the purpose specified by Defendant.
- Implements a policy prohibiting such review unless it is:
-
Periodically verify, at least once every twelve (12) months, that Defendant is restricting access to Covered Home Security Recordings as required.
-
Training of all employees and contractors whose responsibilities include access to Covered Information, at least every twelve (12) months, on how to safeguard Covered Information; provided, however, that this requirement shall not obligate Defendant to provide training to employees and
contractors whose responsibilities only include access to encrypted Covered Information without the ability to decrypt them; -
Data access controls for employee or contractor access to all databases and assets storing Covered Home Security Recordings, including by, at a minimum:
- Restricting inbound connections to approved IP addresses.
- Requiring multi-factor authentication methods for all employees, contractors, and affiliates in order to access any assets (including databases) storing Covered Home Security Recordings. Defendant may use equivalent industry authentication options that are not multi-factor, if the person responsible for the Program under Subprovision III.C: (1) approves in writing the use of such equivalent authentication options; and (2) documents a written explanation of how the authentication options are at least equivalent to the security provided by multi-factor authentication;
- Limiting access to Covered Home Security Recordings to only what is needed for an employee's or contractor’s job function; and
- Reviewing, at least once every twelve (12) months, employee and contractor access to Covered Home Security Recordings to ensure that the employee or contractor needs continued access to the Covered Home Security Recordings to perform the employee or contractor's job function; provided, however, that this requirement shall not obligate Defendant to implement data access controls for
- Technical measures to log and monitor employee and contractor access to Covered Information, including each instance in which a Covered Home Security Recording is accessed; provided, however, that this requirement shall not obligate Defendant to log and monitor access by employees and contractors to encrypted Covered Information without the ability to decrypt it;
- Technical measures to secure Covered Home Security Products from online attacks resulting from the misuse of valid authentication credentials of users of Covered Home Security Products, such as:
- Where passwords are used to secure users' Ring Accounts, requiring that users use strong passwords to secure their Ring Accounts, and recommending that they use unique passwords; and
- Requiring multi-factor authentication methods be provided as an option for consumers to access Covered Home Security Recordings. Defendant may use equivalent industry authentication options that are not multi-factor, if the person responsible for the Program under Subprovision III.C: (1) approves in writing the use of such equivalent authentication options; and (2) documents a written explanation of how the authentication options are at least equivalent to the security provided by multi-factor authentication; and
- Not permitting any human review by Defendant’s employees or contractors of any Covered Home Security Recording, unless, prior to such review, Defendant:
-
Assess, at least once every twelve (12) months and, in the event of a Covered Incident, within thirty (30) days after completion of response to the Covered Incident or sixty (60) days after the Covered Incident, whichever is sooner, the sufficiency of any safeguards in place to address the internal and external risks to the privacy, security, confidentiality, or integrity of Covered Information (and, if conducted following a Covered Incident, related to the Covered Incident), and modify the Program as needed based on the results;
-
Test and monitor the effectiveness of the safeguards at least once every twelve (12) months and, in the event of a Covered Incident, within thirty (30) days after completion of response to the Covered Incident or sixty (60) days after the Covered bIncident, whichever is sooner (and, if conducted following a Covered Incident, related to the Covered Incident), and modify the Program as needed based on the results. Such testing and monitoring must include:
- Vulnerability testing of Defendant's networks) once every four (4) months and, in the event of a Covered Incident, within thirty (30) days after completion of response to the Covered Incident or sixty (60) days after the Covered Incident, whichever is sooner (and, if conducted following a
Covered Incident, related to the Covered Incident); hardware or software update to the Covered Home Security Product and, in the event of a Covered Incident relating to a Covered Home Security Product, within thirty (30) days after completion of response to the Covered Incident or ninety (90) days after the Covered Incident, whichever is sooner; and - Penetration testing of Defendant's access controls described in Subprovision III.E(4) at least once every twelve (12) months and, in the event of a Covered Incident, within thirty (30) days after completion of response to the Covered Incident or sixty (60) days after the Covered Incident, whichever is sooner (and, if conducted following a Covered Incident, related to the Covered Incident);
- Vulnerability testing of Defendant's networks) once every four (4) months and, in the event of a Covered Incident, within thirty (30) days after completion of response to the Covered Incident or sixty (60) days after the Covered Incident, whichever is sooner (and, if conducted following a
-
Select and retain service providers capable of safeguarding Covered Information they access through or receive from Defendant, and contractually require such service providers to implement and maintain safeguards sufficient to address the internal and external risks to the privacy, security, confidentiality, or integrity of Covered Information; and
-
Evaluate and adjust the Program in light of any changes to Defendant's operations or business arrangements, a Covered Incident, new or more efficient technological or operational methods to control for the risks identified in Subprovision III.D of this Order, or any other circumstances that Defendant knows or has reason to know may have an impact on the effectiveness of the Program. At a minimum, Defendant must evaluate the Program at least once every twelve (12) months and modify the Program as needed based on the results.
IV. ASSESSMENTS BY A THIRD PARTY
IT IS FURTHER ORDERED that, in connection with its compliance with the Provision of this Order titled Mandated Privacy and Data Security Program, Defendant must obtain initial and biennial assessments (“Assessment(s)”):
- The Assessment must be obtained from one or more qualified, objective, independent third-party professionals ("Assessors)") who: (1) use procedures and standards generally accepted in the profession; (2) conduct an independent review of the Program; (3) retain all documents relevant to each Assessment for five (5) years after completion of such Assessment; and (4) will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission. No documents may be withheld by the Assessors) on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory exemption, or any similar claim. Defendant may obtain separate assessments for (1) privacy and (2) security, confidentiality, and integrity from multiple Assessors, so long as each of the Assessors meets the qualifications set forth above;
-
For each Assessment, Defendant must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name(s), affiliation(s), and qualifications of the proposed Assessor(s), which the Associate Director shall have the authority to approve in her or his sole discretion.
- The reporting period for the Assessments must cover: (1) the first year after the entry date of the Order for the initial Assessment; and (2) each two-year period thereafter for twenty (20) years after entry of the Order for the biennial Assessments;
-
Each Assessment must, for the entire assessment period:
- Determine whether Defendant has implemented and maintained the Program required by Provision III of this Order titled Mandated Privacy and Data Security Program.
- Assess the effectiveness of Defendant’s implementation and maintenance of Subprovisions III.A-I.
- Identify any gaps or weaknesses in, or instances of material noncompliance with, the Program.
- Address the status of gaps or weaknesses in, or instances of material noncompliance with, the Program that were identified in any prior Assessment required by this Order.
- Identify specific evidence (including, but not limited to, documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is (a) appropriate for assessing an enterprise of the Defendant's size, complexity, and risk profile; and (b) sufficient to justify the Assessor's findings. No finding of any Assessment shall rely primarily on assertions or attestations by Defendant's management. The Assessment must be signed by the Assessor and must state that the Assessor conducted an independent review of the Program, and did not rely primarily on assertions or attestations by Defendant's management, and state the number of hours that each member of the assessment team worked on the Assessment. To the extent that Defendant revises, updates, or adds one or more safeguards required under Subprovision III.E of this Order in the middle of an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added
safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard;
-
Each Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Defendant must submit the initial Assessment to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “FTC v. Ring LLC.” All subsequent biennial Assessments must be retained by Defendant until the Order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request. The initial Assessment and any subsequent biennial Assessment provided to the Commission must be marked, in the upper right-hand corner of each page, with the words “DPIP Assessment” in red lettering
V. COOPERATION WITH THIRD-PARTY ASSESSOR(S)
IT IS FURTHER ORDERED that Defendant, whether acting directly or indirectly, in connection with any Assessment required by Provision IV of this Order titled Assessments by a Third Party, must:
- Provide or otherwise make available to the Assessor all information and material in its possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege or work product protection.
- Provide or otherwise make available to the Assessor information about Covered Home Security Products, Defendant’s network(s), and all of Defendant’s IT assets that are relevant to the Assessor’s determination of the scope of the Assessment, and to provide visibility to those portions of the networks and IT assets deemed in scope.
- Disclose all material facts to the Assessors), and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor's: (1) determination of whether Defendant has implemented and maintained the Program required by Provision III of this Order titled Mandated Privacy and Data Security Program; (2) assessment of the effectiveness of the implementation and maintenance of Subprovisions IIIA-I; or (3) identification of any gaps or weaknesses in, or instances of material non-compliance with, the Program.
VI. CERTIFICATIONS
IT IS FURTHER ORDERED that, one year after the entry date of this Order, and each year thereafter for twenty (20) years after the entry of this order:
- Defendant must provide the Commission with a certification from the Ring Principal Executive Officer that Defendant:
- Has established, implemented, and maintained the requirements of this Order.
- Is not aware of any material noncompliance with the requirements of this Order that has not been disclosed to the Commission.
- Each certification must be based on the personal knowledge of the Principal Executive Officer or subject matter experts upon whom the Principal Executive Officer reasonably relies in making the certification.
- Unless otherwise directed by a Commission representative in writing, Defendant must submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “FTC v. Ring LLC.”
VII. COVERED INCIDENT REPORTS
IT IS FURTHER ORDERED that, for twenty (20) years after entry of this order, within a reasonable time after Defendant’s discovery of a Covered Incident, but in any event no later than ten (10) days after the Defendant first notifies any United States federal, state, or local entity of a Covered Incident or determines that no such notice is needed, the Defendant must submit a report to the Commission. The report must include, to the extent possible:
- The date, estimated date, or estimated date range when the Covered Incident occurred.
- A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known.
- The number of consumers whose Covered Home Security Recordings were affected by the Covered Incident.
- The acts that Defendant has taken to date to remediate the Covered Incident and protect Covered Home Security Recordings from further exposure or access, and protect affected consumers from identity theft or other harm that may result from the Covered Incident.
- A representative copy of any materially different notice sent by Defendant to consumers or to any U.S. federal, state, or local government entity.
Unless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “FTC v. Ring LLC.”
VIII. NOTICES TO CUSTOMERS
IT IS FURTHER ORDERED that Defendant must:
- Identify all consumers who had Ring accounts before February 1, 2018 (“eligible customers”). Ring must take reasonable efforts to identify such eligible customers, and their contact information. Eligible customers include those identified at any time.
- Notify all identified eligible customers by emailing each a notice in the form shown in Attachment A. The emailing of the notification letter must not include any other enclosures.
- Notify all eligible customers within 180 days after the entry date of this Order and any eligible customers identified thereafter within 30 days of their identification.
IX. MONETARY JUDGMENT
IT IS FURTHER ORDERED that:
- Judgment in the amount of five million eight hundred thousand dollars ($5,800,000) is entered in favor of the Commission against Defendant.
- Defendant is ordered to pay to the Commission five million eight hundred thousand dollars ($5,800,000), which, as Defendant stipulates, their undersigned counsel holds in escrow for no purpose other than payment to the Commission.
- Such payment must be made within seven (7) days of entry of this Order by electronic fund transfer in accordance with instructions previously provided by a representative of the Commission.
X. ADDITIONAL MONETARY PROVISIONS
IT IS FURTHER ORDERED that:
- Defendant relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.
- The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Commission to enforce its rights to any payment or monetary judgment pursuant to this Order, such as a nondischargeability complaint in any bankruptcy case.
- The facts alleged in the Complaint establish all elements necessary to sustain an action by or on behalf of the Commission pursuant to Section 523(a)(2)(A) of the Bankruptcy Code, 11 U.S.C. § 523(a)(2)(A), and this Order will have collateral estoppel effect for such purposes.
- Defendant acknowledges that its Taxpayer Identification Numbers (Social Security Numbers or Employer Identification Numbers), which Defendant must submit, may be used for collecting and reporting on any delinquent amount arising out of this order, in accordance with 31 U.S.C. § 7701.
- All money paid to the Commission pursuant to this Order may be deposited into a fund administered by the Commission or its designee to be used for equitable relief, including consumer redress and any attendant expenses for the administration of any redress fund. If a representative of the Commission decides that direct redress to consumers is wholly or partially impracticable or money remains after redress is completed, the Commission may apply any remaining money for such other equitable relief (including consumer information remedies) as it determines to be reasonably related to Defendant’s practices alleged in the Complaint. Any money not used for such equitable relief is to be deposited to the U.S. Treasury as disgorgement. Defendant has no right to challenge any actions the Commission or its representatives may take pursuant to this Subprovision.
XI. CUSTOMER INFORMATION
IT IS FURTHER ORDERED that Defendant must directly or indirectly provide sufficient customer information to enable the Commission to efficiently administer consumer redress. If a representative of the Commission requests in writing any information related to redress, Defendant must provide it, in the form prescribed by the Commission, within fourteen (14) days.
XII. ACKNOWLEDGMENTS OF THE ORDER
IT IS FURTHER ORDERED that Defendant obtain acknowledgments of receipt of this Order:
- Defendant, within seven (7) days of entry of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.
- For three (3) years after the entry date of this Order, Defendant must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members of Defendant; (2) all employees, agents, and representatives of Defendant managing conduct related to the subject matter of the Order; and (3) any business= entity resulting from any change in structure as set forth in the Provision titled Compliance Reporting. Delivery must occur within seven (7) days of entry of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.
- From each individual or entity to which Defendant delivered a copy of this Order, Defendant must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.
XIII. COMPLIANCE REPORTING
IT IS FURTHER ORDERED that Defendant make timely submissions to the Commission:
- One year after the entry date of this Order, Defendant must submit a compliance report, sworn under penalty of perjury:
- Defendant must: (a) identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission, may use to communicate with Defendant; (b) identify all of Defendant's subsidiaries that collect, maintain, use, or disclose, or provide access to Covered Home Security Recordings by all of their names, telephone numbers, and physical, postal, email, and internet addresses; (c) describe the activities of each such subsidiary, including the goods and services offered, the means of advertising, marketing, and sales; (d) describe in detail whether and how Defendant is in compliance with each Provision of this Order; and (e) provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.
- For ten (10) years after entry of this Order, Defendant must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in: (a) any designated point of contact; or (b) the structure of Defendant that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary that engages in any acts or practices subject to this Order.
- Defendant must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Defendant within fourteen (14) days of its filing.
- Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _______,” and supplying the date, signatory’s full name, title (if applicable), and signature.
- Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “FTC v. Ring LLC.”
XIV. RECORDKEEPING
IT IS FURTHER ORDERED that Defendant must create certain records for ten (10) years after the entry date of the Order and retain each such record for five (5) years. Specifically, Defendant must create and retain the following records:
- Accounting records showing the revenues from all goods or services sold relating to the subject matter of the Order, the costs incurred in generating those revenues, and resulting net profit or loss.
- Personnel records showing, for each person who participates in conduct related to the subject matter of this Order, whether as an employee or otherwise, that person’s: name, job title or position, and dates of service.
- Records of all consumer complaints and refund requests related to the subject matter of this Order received through Defendant’s customer service channels, and any response, except to the extent that deletion of such records has been requested by a consumer.
- A copy of each unique advertisement or other marketing material making a representation subject to this Order.
- A copy of each widely externally-disseminated representation by Defendant that describes the extent to which, or the purposes for which, Defendant or any employee or contractor working on Defendant’s behalf accesses or reviews any Covered Home Security Recording.
- All records necessary to demonstrate full compliance with this Order, including all submissions to the Commission, all notices distributed pursuant to Provision VIII, and all documents related to Defendant’s verifications pursuant to Subprovision III.E.2.
XV. COMPLIANCE MONITORING
IT IS FURTHER ORDERED that, for the purpose of monitoring Defendant’s compliance with this Order:
-
Within fourteen (14) days of receipt of a written request from a representative of the Commission, Defendant must:
- Submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.
-
For matters concerning this Order, representatives of the Commission are authorized to communicate directly with Defendant. Defendant must permit representatives of the Commission to interview any employee or other person affiliated with Defendant who has agreed to such an interview. The person interviewed may have counsel present.
-
The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Defendant or any individual or entity affiliated with Defendant, without the necessity of identification or prior notice. Nothing in this Order limits the Commission's lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.
XVI. RETENTION OF JURISDICTION
IT IS FURTHER ORDERED that this Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.
SO ORDERED this 16th day of June, 2023.
|
Jia M. Cobb United States District Judge |
SO STIPULATED AND AGREED: FOR PLAINTIFF Elisa Jillson (DC Bar No. 989763) Andrew Hasty (DC Bar No. 103398) Miles Plant (NY Bar No. 4901583) Julia Horwitz (DC Bar No. 1018561) FOR DEFENDANT: Date: May 24, 2023 Aaron McGrath
Alexandra Scott (CA Bar No. 320012)* Attorneys for Defendant |
ATTACHMENT A
[Ring Letterhead]
Dear Neighbor,
On [date], we entered into a settlement with the Federal Trade Commission – the nation’s consumer protection agency – to resolve the FTC’s allegations that more employees and contractors than necessary had access to the stored videos collected by Ring cameras. The FTC alleges that several years ago, a limited number of employees viewed customers’ videos without their permission and without a business reason. These individuals are no longer employed by Ring.
Since 2018, we have significantly changed our access and review practices. Now, only a very small number of employees can access videos, and only in very limited circumstances. You can learn more about our privacy practices at [XXX].
Visit [XXX] for more information about this settlement.
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you..
Leave us a Message