It was like stealing data from a baby.
In 2015, electronic toy company VTech learned from a journalist that a hacker had accessed its computer network and the customer information within it, including personal information about children who were using the company’s Kid Connect mobile app.
On Jan. 8, in the Federal Trade Commission’s first children’s privacy case involving connected toys, VTech Electronics Limited and its U.S. subsidiary agreed to settle charges filed by the FTC after the incident, according to an FTC press release. The commission files a complaint when it has reason to believe that the law has been violated and a proceeding would be in the public interest. VTech will pay $650,000 as part of the settlement.
The FTC said that VTech had violated the Children’s Online Privacy Protection Act (COPPA) – a U.S. children’s privacy law the governs the collection of personal information from children – by not only collecting such information without parental consent, but also by failing to properly protect that data from threat actors.
COPPA stipulates that any company collecting personal information online from minors under the age of 13 must clearly disclose to parents the information it collects and how that information will be used. Furthermore, reasonable measures must be taken to secure sensitive data provided by children.
The Office of the Privacy Commissioner of Canada collaborated with the FTC under the U.S. SAFE WEB Act, which allows the commission to share information with foreign counterparts when it identifies deceptive or unfair practices that transcend national borders.
VTech reportedly collected personal information from parents during registration on its Learning Lodge platform, where the Kid Connect app could be downloaded, and via the now-defunct web-based gaming and chat platform Planet VTech. Required data included the parent’s name and email address, as well as the child’s name, date of birth and gender.
So far, so good.
This turned out to be a moot point, since the policy falsely stated that personal information submitted by users through these two portals would be encrypted. None of it was – leading to the allegation that VTech did not take reasonable steps to protect the information it collected through Kid Connect.
“Reasonable steps” would have included safeguards and security measures protecting transmitted and stored information, and there should have been a system that would have notified the company of an unauthorized intrusion into the network.
Whether it’s advisable for kids to be playing with connected toys at all will continue to be a point of debate among parents and experts for years to come – but the fact is that, in an increasingly connected world, these products are going to make their way into children’s hands at some point or another.
Let this incident serve as an example for other toymakers hanging their hopes on connected playthings for children. Others would do well to learn from VTech’s mistakes and produce toys that are not only fun for kids to play with, but protect them from opportunistic cyber crooks and, of course, grant their parents the peace of mind that nothing bad will happen when their children use these games and toys that are touted as “educational.”
“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used, and that they take reasonable steps to secure that data,” acting FTC Chairman Maureen K. Ohlhausen said in a statement. “Unfortunately, VTech fell short in both of these areas.”