VTech: We Are Not Liable If We Fail to Protect Your Data, EFF: Oh Yes You Are!

If you are a company that collects customer data, it’s your job to protect it. Your customers expect it. You can’t dodge that responsibility by altering your terms and conditions, especially when finding them is equivalent to playing “Where’s Waldo?” on your website.

This is not only outrageous, but in EFF’s view, also not legally enforceable.

VTech, Hong Kong-based maker of many children’s digital toys, apparently doesn’t see things this way.

First, a little background. In November 2015, VTech was hacked and information of as many as 6.3 million children and 4.8 million parents was compromised. Data exposed by the breach consisted of children’s names, age, gender, photos, chat logs, and information linking them to their parents and their home addresses. After downplaying the extent of the hack, VTech finally came forward with the details, including an estimate of the number of victims by their country of residence.

The hack was remarkable because after a year of other high-profile breaches like Ashley Madison and OPM, VTech was found employing spectacularly outdated security practices and software. For instance, the site where user accounts were created had no SSL encryption, company was using severely weak MD5 hashes to scramble user passwords, and API calls were returning unrelated database queries when they should have been locked down, among others.

Since then, VTech has been working with experts to improve its security and it’s evident, especially in the now SSL encrypted webpages belonging to the company. However, given the company’s basically non-existent security just a few months ago, it’s surprising that its strategy of customer reassurance consists of disclaiming all responsibility for protecting user information.

In an obscure link, the company says this of its responsibility to protect user information:

We know that there’s no such thing as “perfect” security, but when you are caught with bad practices in a banner year for data breaches, you should be dedicated to securing your users’ information instead of hiring lawyers to sneakily limit your liability. Especially when that supposed exemption from liability is communicated to users by hiding it deep inside a mountain of text.

The near-complete opaqueness via which these changes in terms and conditions are communicated becomes even more obvious given their non-existence on the website that’s specifically designed to relay to parents the status of services affected by the breach. Instead, on that page, VTech paints a picture of working hard to protect user data and that parents and children can rest easy:

A mention or a link to VTech absolving itself of all responsibility in case of a breach would have been nice here.

Lastly, in two of VTech’s major markets, US and Europe, experts agree that these terms and conditions may be unenforceable. In Europe, there are data protection laws that require companies to secure their customers’ data.

In the United States, EFF’s view is that Children’s Online Privacy Protection Act (COPPA) requires that companies collecting data from children under 13 use reasonable means to protect it. This is what the first COPPA FAQ on the FTC website applicable to service providers says:

Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security

Given the new terms’ near unenforceability, significant lack of good faith in communicating them to users, and the ill will they are garnering from the Internet at large, VTech should do the right thing and get rid of them.

VTech’s resources would be better spent ensuring its customers’ sensitive data is secure, instead of finding ways to get out of that responsibility via legal trickery.