Data regulator casts doubt on new VTech T&Cs

Hacked VTech changes terms of use to leave parents responsible for data breaches

The Information Commissioner's Office (ICO) has cast doubt on the legality of new terms and conditions introduced by VTech that, it is claimed, leave parents responsible for any future data breaches.

VTech's database was hacked last November, exposing five million customers' accounts to hackers, including around 200,000 children's names, genders and dates of birth.

Security expert Troy Hunt revealed on his blog this week that VTech subsequently changed its T&Cs in December to deny any responsibility for future hacks.

They now read: "You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties."

But Hunt said in his blog: "There are very few absolutes in security and there always remains some sliver of a risk that things will go wrong but even then, you, as the organisation involved, have to take responsibility."

VTech tried to defend its dramatic shift in policy by saying that no company can guarantee it will not fall victim to a hack, but, asked by IT Pro whether VTech's new terms were in accordance with UK data protection legislation, the ICO said: "The law is clear that it is organisations handling people's personal data that are responsible for keeping that data secure."

Industry experts have also panned VTech's response to the hack, with independent computer security analyst, Graham Cluley, saying the company's attitude is: "Sod the kids' privacy and security, the lawyers have covered our arse."

He told IT Pro: "We all understand that companies can suffer hacks. What's important is how an organisation responds to such incidents.

"Do they treat it as a call to improve things and make security a central part of their make-up, do they act openly and transparently to reassure their customers, or do they call in the lawyers to cover their butts for when they inevitably suffer from another security scare?"

Security firm ESET's specialist, Mark James, added that by burying the new policy in its T&Cs which were only discovered this week VTech is doing parents a disservice.

"To shift ownership over to the users is bad enough in it itself but to make it known through walls of text in T&Cs or EULAs is a bad way to do it, no one honestly reads it, especially a parent trying to set up something for their children," he said.

Hunt added: "VTech (or anyone else for that matter) cannot simply just absolve themselves of that responsibility in their terms and conditions. People don't even read these things!"

Both Cluley and James believe parents will buy elsewhere, rather than risk their children's privacy.

"VTech has made its choice.  Savvy parents will makes theirs as well," Cluley said. 

James added: "Our minors' data should be ultra-important for any organisation and protecting that should be their number one priority. If voting with your feet is the best way to make them understand then maybe that's the right thing to do."

IT Pro has approached VTech for comment, but had not received a response at the time of publication.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021