In 2015, smart toymaker VTech tripped. And it fumbled a whole lot of frighteningly specific data about children when it did.
Well, allegedly, at any rate. An intruder claimed to have broken into servers and ripped off data s/he said was so sensitive, it made them queasy.
With good reason: the intruder claimed to have accessed photos of kids and parents; chatlogs; and audio files. The FTC said they got first names, genders and birthdays of about 638,000 children. The intruder said they got email addresses; encrypted passwords; secret questions and answers for password retrieval; IP addresses; mailing addresses; and download histories. The personal data pertained to 4,833,678 parents, the intruder said.
On Monday, VTech didn’t admit to wrongdoing, but it did settle Federal Trade Commission (FTC) charges that the company violated children’s privacy law – that would be the Children’s Online Privacy Protection Act (COPPA) – and the FTC Act.
The FTC announced on Monday that VTech had agreed to settle for a civil fine of $650,000.
In a complaint filed by the US Department of Justice on behalf of the FTC, the commission alleged that VTech’s Kid Connect app collected the personal information that was allegedly breached. Kid Connect is a service that allows parents and kids to chat via a mobile phone app and a VTech tablet.
The FTC said in the complaint that VTech “failed to provide direct notice to parents or obtain verifiable consent from parents concerning its information collection practices, as required under [COPPA].”
The FTC also alleged that VTech “failed to use reasonable and appropriate data security measures to protect personal information it collected”. The Commission said that this is its first completed children’s privacy case involving internet-connected toys.
The Hong Kong toymaker not only (allegedly) lost the data: it also dinged customer confidence by slipping in a tweaked terms and conditions policy that passed the buck for for any future breach to its customers, like so:
You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.
I mean, c’mon, VTech said when it amended the policy in February 2016, a few months after the breach disclosure: security isn’t something you can actually guarantee. CSO Online at the time quoted Grace Pang, head of corporate marketing at VTech Holdings Ltd.:
No company that operates online can provide a 100% guarantee that it won’t be hacked. The Learning Lodge Terms and Conditions[*], like the Terms and Conditions for many online sites and services, simply recognize that fact by limiting the company’s liability for the acts of third parties such as hackers. Such limitations are commonplace on the Web.
(*Learning Lodge allows VTech’s customers to download games, e-books and other educational content to their VTech products, while Kid Connect allows children and parents to exchange voice and text messages, photos, drawings and stickers between its products/services and parents’ smartphones.)
The FTC complaint alleges that VTech didn’t take “reasonable steps to protect the information it collected through Kid Connect, such as implementing adequate safeguards and security measures to protect transmitted and stored information and implementing an intrusion prevention or detection system to alert the company of an unauthorized intrusion of its network.”
It also alleged that VTech violated the FTC Act by stating in its privacy policy that most personal information submitted by users through the Learning Lodge and Planet VTech would be encrypted. It was not, the Commission claims.
Beyond the monetary settlement, VTech is also permanently prohibited from violating COPPA in the future and from misrepresenting its security and privacy practices as part of the proposed settlement. It’s also facing a requirement to roll out a comprehensive data security program that will be subject to biennial, independent audits for 20 years.
Congratulations, FTC, on the first case against children’s privacy violations to be settled. It’s unlikely to be the last, particularly given how popular connected toys are getting and how privacy and data protection aren’t always high in manufacturers’ priority lists.
Acting FTC Chairman Maureen K. Ohlhausen, from Monday’s announcement of the VTech settlement:
As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data. Unfortunately, VTech fell short in both of these areas.
Mahhn
As much as it makes people unhappy, reality check is they are 100% accurate with : “any information you send or receive during your use of xxxxxxxxxx may not be secure and may be intercepted or later acquired by unauthorized parties.”
Any data generated is at risk. It’s not like our upcoming robot overlords won’t be able to access/decrypt anything they want to. Besides, they will only look at it for archeological reasons in a few hundred years, so it won’t matter then.
Rob
Very true, but this isn’t an excuse to save a few bucks by using shoddy programming and ignoring security standards. They “failed to use reasonable and appropriate data security measures to protect personal information it collected.” This makes the likelihood higher.
Mahhn
True
Nate Braun
There is a difference in security between data in transit vs data at rest. I can see their case for limited liability for data in transit across the Internet. But, this was customer data at rest on their own systems. They should be liable for that data loss, and customers should be disappointed with VTech’s responses.