Data regulator casts doubt on new VTech T&Cs

Hacked VTech changes terms of use to leave parents responsible for data breaches

The Information Commissioner's Office (ICO) has cast doubt on the legality of new terms and conditions introduced by VTech that, it is claimed, leave parents responsible for any future data breaches.

VTech's database was hacked last November, exposing five million customers' accounts to hackers, including around 200,000 children's names, genders and dates of birth.

Advertisement - Article continues below

Security expert Troy Hunt revealed on his blog this week that VTech subsequently changed its T&Cs in December to deny any responsibility for future hacks.

They now read: "You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties."

But Hunt said in his blog: "There are very few absolutes in security and there always remains some sliver of a risk that things will go wrong but even then, you, as the organisation involved, have to take responsibility."

VTech tried to defend its dramatic shift in policy by saying that no company can guarantee it will not fall victim to a hack, but, asked by IT Pro whether VTech's new terms were in accordance with UK data protection legislation, the ICO said: "The law is clear that it is organisations handling people's personal data that are responsible for keeping that data secure."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Industry experts have also panned VTech's response to the hack, with independent computer security analyst, Graham Cluley, saying the company's attitude is: "Sod the kids' privacy and security, the lawyers have covered our arse."

He told IT Pro: "We all understand that companies can suffer hacks. What's important is how an organisation responds to such incidents.

"Do they treat it as a call to improve things and make security a central part of their make-up, do they act openly and transparently to reassure their customers, or do they call in the lawyers to cover their butts for when they inevitably suffer from another security scare?"

Security firm ESET's specialist, Mark James, added that by burying the new policy in its T&Cs which were only discovered this week VTech is doing parents a disservice.

"To shift ownership over to the users is bad enough in it itself but to make it known through walls of text in T&Cs or EULAs is a bad way to do it, no one honestly reads it, especially a parent trying to set up something for their children," he said.

Advertisement - Article continues below

Hunt added: "VTech (or anyone else for that matter) cannot simply just absolve themselves of that responsibility in their terms and conditions. People don't even read these things!"

Both Cluley and James believe parents will buy elsewhere, rather than risk their children's privacy.

"VTech has made its choice.  Savvy parents will makes theirs as well," Cluley said. 

James added: "Our minors' data should be ultra-important for any organisation and protecting that should be their number one priority. If voting with your feet is the best way to make them understand then maybe that's the right thing to do."

IT Pro has approached VTech for comment, but had not received a response at the time of publication.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/security/ethical-hacking/356252/poorly-secured-banking-apps-lead-to-cyber-threats
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020
Visit/security/malware/356231/most-malware-came-through-https-connections-in-q1-2020
malware

Most malware came through HTTPS connections in Q1 2020

25 Jun 2020
Visit/security/phishing/356211/phishing-attacks-target-unsuspecting-wells-fargo-customers
phishing

Phishing attacks target unsuspecting Wells Fargo customers

24 Jun 2020
Visit/security/hacking/356210/trump-administration-wants-to-enhance-the-security-of-gov-sites
hacking

Trump administration wants to enhance the security of .gov sites

24 Jun 2020

Most Popular

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020