Data regulator casts doubt on new VTech T&Cs

Hacked VTech changes terms of use to leave parents responsible for data breaches

The Information Commissioner's Office (ICO) has cast doubt on the legality of new terms and conditions introduced by VTech that, it is claimed, leave parents responsible for any future data breaches.

VTech's database was hacked last November, exposing five million customers' accounts to hackers, including around 200,000 children's names, genders and dates of birth.

Security expert Troy Hunt revealed on his blog this week that VTech subsequently changed its T&Cs in December to deny any responsibility for future hacks.

They now read: "You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties."

But Hunt said in his blog: "There are very few absolutes in security and there always remains some sliver of a risk that things will go wrong but even then, you, as the organisation involved, have to take responsibility."

VTech tried to defend its dramatic shift in policy by saying that no company can guarantee it will not fall victim to a hack, but, asked by IT Pro whether VTech's new terms were in accordance with UK data protection legislation, the ICO said: "The law is clear that it is organisations handling people's personal data that are responsible for keeping that data secure."

Industry experts have also panned VTech's response to the hack, with independent computer security analyst, Graham Cluley, saying the company's attitude is: "Sod the kids' privacy and security, the lawyers have covered our arse."

He told IT Pro: "We all understand that companies can suffer hacks. What's important is how an organisation responds to such incidents.

"Do they treat it as a call to improve things and make security a central part of their make-up, do they act openly and transparently to reassure their customers, or do they call in the lawyers to cover their butts for when they inevitably suffer from another security scare?"

Security firm ESET's specialist, Mark James, added that by burying the new policy in its T&Cs which were only discovered this week VTech is doing parents a disservice.

"To shift ownership over to the users is bad enough in it itself but to make it known through walls of text in T&Cs or EULAs is a bad way to do it, no one honestly reads it, especially a parent trying to set up something for their children," he said.

Hunt added: "VTech (or anyone else for that matter) cannot simply just absolve themselves of that responsibility in their terms and conditions. People don't even read these things!"

Both Cluley and James believe parents will buy elsewhere, rather than risk their children's privacy.

"VTech has made its choice.  Savvy parents will makes theirs as well," Cluley said. 

James added: "Our minors' data should be ultra-important for any organisation and protecting that should be their number one priority. If voting with your feet is the best way to make them understand then maybe that's the right thing to do."

IT Pro has approached VTech for comment, but had not received a response at the time of publication.

Featured Resources

Five lessons learned from the pivot to a distributed workforce

Delivering continuity and scale with a remote work strategy

Download now

Connected experiences in a digital transformation

Enable businesses to meet the demands of the future

Download now

Simplify to secure

Reduce complexity by integrating your security ecosystem

Download now

Enhance the safety and security of your people, assets and operations

Enable a true vision of security with an engineered solution based on hyperconverged and storage platforms

Download now

Recommended

The Ritz suffers data breach after hackers pose as staff
data breaches

The Ritz suffers data breach after hackers pose as staff

17 Aug 2020
Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020

Most Popular

Accenture ploughs $3 billion into cloud migration support group
digital transformation

Accenture ploughs $3 billion into cloud migration support group

17 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Google takes on Zoom with launch of Meet hardware
video conferencing

Google takes on Zoom with launch of Meet hardware

16 Sep 2020