Data regulator casts doubt on new VTech T&Cs

Hacked VTech changes terms of use to leave parents responsible for data breaches

The Information Commissioner's Office (ICO) has cast doubt on the legality of new terms and conditions introduced by VTech that, it is claimed, leave parents responsible for any future data breaches.

VTech's database was hacked last November, exposing five million customers' accounts to hackers, including around 200,000 children's names, genders and dates of birth.

Security expert Troy Hunt revealed on his blog this week that VTech subsequently changed its T&Cs in December to deny any responsibility for future hacks.

They now read: "You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

But Hunt said in his blog: "There are very few absolutes in security and there always remains some sliver of a risk that things will go wrong but even then, you, as the organisation involved, have to take responsibility."

VTech tried to defend its dramatic shift in policy by saying that no company can guarantee it will not fall victim to a hack, but, asked by IT Pro whether VTech's new terms were in accordance with UK data protection legislation, the ICO said: "The law is clear that it is organisations handling people's personal data that are responsible for keeping that data secure."

Industry experts have also panned VTech's response to the hack, with independent computer security analyst, Graham Cluley, saying the company's attitude is: "Sod the kids' privacy and security, the lawyers have covered our arse."

He told IT Pro: "We all understand that companies can suffer hacks. What's important is how an organisation responds to such incidents.

"Do they treat it as a call to improve things and make security a central part of their make-up, do they act openly and transparently to reassure their customers, or do they call in the lawyers to cover their butts for when they inevitably suffer from another security scare?"

Security firm ESET's specialist, Mark James, added that by burying the new policy in its T&Cs which were only discovered this week VTech is doing parents a disservice.

Advertisement - Article continues below

"To shift ownership over to the users is bad enough in it itself but to make it known through walls of text in T&Cs or EULAs is a bad way to do it, no one honestly reads it, especially a parent trying to set up something for their children," he said.

Hunt added: "VTech (or anyone else for that matter) cannot simply just absolve themselves of that responsibility in their terms and conditions. People don't even read these things!"

Both Cluley and James believe parents will buy elsewhere, rather than risk their children's privacy.

"VTech has made its choice.  Savvy parents will makes theirs as well," Cluley said. 

Advertisement
Advertisement - Article continues below

James added: "Our minors' data should be ultra-important for any organisation and protecting that should be their number one priority. If voting with your feet is the best way to make them understand then maybe that's the right thing to do."

IT Pro has approached VTech for comment, but had not received a response at the time of publication.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020