Communications Litigation Today was a Warren News publication.
'Lax Attitude'

FTC Settlement Requires Ring to Refund Customers $5.8M for Privacy Lapses

June 2, 2023 by Rebecca Day|Top News

Amazon subsidiary Ring agreed to refund customers $5.8 million as part of its settlement with the FTC over privacy lapses involving access to video recordings on Ring cameras. DOJ's complaint Wednesday (docket 1:23-cv-01549), filed on the FTC's behalf in U.S. District Court for the District of Columbia, alleges Ring violated the FTC Act by allowing thousands of employees and contractors to access video recordings of customers’ "intimate spaces" without customers’ knowledge or consent.

Ring's focus "has been and remains on delivering products and features our customers love, while upholding our commitment to protect their privacy and security," emailed a spokesperson Wednesday. "Ring promptly addressed these issues on its own years ago, well before the FTC began its inquiry. While we disagree with the FTC’s allegations and deny violating the law, this settlement resolves this matter so we can focus on innovating on behalf of our customers."

Ring didn’t train employees to handle customers’ sensitive video data with care, “even though all employees and third-party contractors had this broad access,” including those tasked with reviewing customers’ video data for customer support, product improvement, and research and development, said the complaint. The company didn’t do training on privacy or data security before May 2018, it said. It also didn't "otherwise advise employees or third-party contractors that customers’ video data was sensitive and should be treated as such,” it said.

As a result of Ring’s “lax attitude" toward privacy and security, employees and third-party contractors were able to view, download, and transfer customers’ sensitive video data for their own purposes, said the complaint. In 2017, a Ring employee viewed “thousands” of video recordings belonging to at least 81 female users of Ring Stick Up Cams. The employee focused his "prurient searches” on cameras identified with intimate spaces, such as “master bedroom” or “master bathroom,” said the complaint. For months, the employee viewed female customers’ and employees’ videos, “often for an hour or more each day,” it said. A co-worker discovered and reported the employee.

Bad actors were also able to view some customers’ videos and used Ring cameras’ two-way functionality to "harass, threaten, and insult consumers" -- including elderly individuals and children, whose rooms were monitored by Ring cameras -- "and to change important device settings," the FTC said. Hackers "taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom," the FTC said.

In September 2017, Ring narrowed employee access to users’ video data so customer service agents could access videos only with customers’ consent, but it continued to allow others, including hundreds of employees and Ukraine-based third-party contractors, access to “all video data,” even if their job function didn’t require access to that data, it said.

Despite experiencing "multiple credential-stuffing attacks" in 2017 and 2018, Ring failed to implement common tactics, such as multifactor authentication, until 2019, said the FTC: "Even then, Ring’s sloppy implementation of the additional security measures hampered their effectiveness," the agency said. As a result, hackers continued to exploit account vulnerabilities to access stored videos, live video streams, and account profiles of about 55,000 U.S. customers, the complaint said.

Ring will be required under the stipulated order to delete data, models and algorithms derived from videos it unlawfully reviewed, the FTC said. It also will be required to implement a privacy and security program with "novel safeguards" on human review of videos as well as other stringent security controls, such as multifactor authentication for employee and customer accounts.

The $5.8 million penalty will go toward consumer refunds. Ring will be required to delete any customer videos and data collected from an individual’s face that it obtained before 2018 and delete any work products it derived from these videos, said the commission. The stipulated order will require Ring to alert the FTC about incidents of unauthorized access or exposure of its customers’ videos and to notify consumers about the FTC’s action. The commission voted 3-0 to authorize the complaint and the stipulated final order.