Full Report
Questioning how Flock Safety protects sensitive user accounts, Sen. Ron Wyden and Rep. Raja Krishnamoorthi want the FTC to investigate the police surveillance tech provider.
Analysis Summary
# Industry News: Lawmakers Target Flock Safety Over Alleged Lapses in Account Security
## Summary
US lawmakers have formally requested the FTC investigate Flock Safety, a prominent police surveillance technology provider, citing reports of weak cybersecurity practices, specifically the failure to mandate multi-factor authentication (MFA). This action suggests a growing regulatory scrutiny over how companies handling sensitive government and public data secure their platforms, particularly concerning access controls. The investigation could set a precedent for security standards in the broader public sector technology market.
## Key Details
- Date: November 3rd, 2025 (Date of the letter)
- Companies Involved: Flock Safety, Federal Trade Commission (FTC), Sen. Ron Wyden, Rep. Raja Krishnamoorthi.
- Category: Regulatory Scrutiny / Governance & Compliance
## The Story
Senators Ron Wyden and Raja Krishnamoorthi sent a letter to FTC Chairman Andrew Ferguson urging an investigation into Flock Safety's cybersecurity posture. The specific complaints center on Flock Safety allegedly not requiring its law enforcement customers to use Multi-Factor Authentication (MFA), and its voluntary system not supporting phishing-resistant MFA. Reports cited by the lawmakers indicate at least 35 Flock customer accounts have been compromised. The concern is amplified because Flock's automated license plate reader (ALPR) data tracks millions of Americans, and improper password sharing has allegedly allowed unauthorized cross-agency access to this sensitive surveillance data. The lawmakers explicitly referenced previous FTC actions against companies like Uber and Drizly for similar MFA failures.
## Business Impact
### For the Companies Involved
- **Flock Safety:** Faces immediate reputational damage and significant regulatory risk. An FTC investigation, especially one referencing prior enforcement actions, could lead to mandated security remediation, potentially involving costly upgrades, process overhauls, and increased compliance overhead. This could slow down expansion or contract negotiations.
- **FTC:** The involvement signals the agency is willing to apply existing consumer protection frameworks (like misuse of data due to negligence) to high-profile surveillance technology vendors when personal data is at risk, regardless of the customer being a government entity.
### For Competitors
- Competitors in the police technology and surveillance space (e.g., Vigilant Solutions, public safety SaaS providers) may face increased scrutiny from potential government clients who will now demand stronger evidence of robust security features like mandatory, phishing-resistant MFA before contracting. This incident raises the security baseline expectation across the sector.
### For Customers
- Law enforcement agencies using Flock Safety will face pressure from internal IT departments, oversight committees, and the public to verify their own access controls and potentially mandate stronger security layers on their side, even if the vendor defaults are weak.
### For the Market
- This highlights a significant maturity gap in security implementation within the public safety technology sector. There is an emerging market trend toward demanding "security by design," especially for systems aggregating PII and location data. Government procurement processes may start explicitly requiring adherence to frameworks that mandate strong authentication.
## Technical Implications
The core technical issue revolves around **Authentication Strength**. The lack of mandatory phishing-resistant MFA (like FIDO2/WebAuthn) exposes the system to password spray attacks or credential stuffing resulting from third-party breaches. The reported ability for agents to access other agencies' data via password sharing indicates a fundamental flaw in granular access control and identity management architecture, pointing to potential deficiencies in their underlying cloud infrastructure or application layer controls.
## Strategic Analysis
- **Market Positioning:** Flock Safety risks being repositioned from a leading innovator in public safety tech to a high-risk vendor due to demonstrable security vulnerabilities that have already been exploited.
- **Competitive Advantage:** Their "first-mover" advantage in ALPR saturation is directly threatened by concerns over data security, potentially allowing security-focused competitors to gain ground on trustworthiness.
- **Challenges:** Overcoming legislative and public distrust will require transparency (which they are currently avoiding, per the article) and immediate, verifiable remediation of authentication failures. They must prove that an FTC enforcement action is unnecessary.
## Industry Reactions
- **Analyst Opinions:** Analysts will likely view this as a strong signal that the regulatory environment for vendors handling sensitive government/citizen data is hardening. Security audits and due diligence processes during procurement are expected to become significantly stricter industry-wide.
- **Expert Commentary:** Cybersecurity experts will point to this as a classic case where convenience/adoption velocity was prioritized over security fundamentals (MFA not being mandatory).
- **Market Response:** Expect a rise in solution sales centered on identity and access management (IAM) specifically tailored for government and law enforcement software platforms.
## Future Outlook
- **Predictions and Expectations:** The FTC is likely to either launch a formal inquiry or issue a strongly worded warning/request for information, given their history with MFA enforcement. Flock Safety will likely face pressure to immediately roll out mandatory MFA (and hopefully phishing-resistant options) regardless of the outcome.
- **What to watch for:** The FTC's response timeline and any resulting consent order or mandated security upgrades for Flock Safety.
## For Security Professionals
Cybersecurity practitioners involved in vendor risk management (VRM) for state and local government contracts must use this incident as a case study. It underscores the necessity of checking vendor compliance not just against baseline SLAs, but against established best practices (like NIST CSF or Executive Orders) regarding MFA implementation, especially when dealing with third-party systems integrating high volumes of Personally Identifiable Information (PII) or location data. Mandatory MFA should be a non-negotiable term in all vendor contracts.