At the end of last year, Vtech’s Learning Lodge, Kid Connect and PlanetVTech databases were hacked, exposing the data of around 5 million parents and around 6 million children.
Vtech themselves noted that the ‘databses were not as secure as they should have been.’ It’s also been noted by many security researches across the globe and here at WHITEHACK that there was some gross inadequacies in the security and privacy measures Vtech had in place.
The changes to Vtech’s EULA are somewhat par-for-the-course for large companies, but on the back of such gross failures, it’s a real slap in the face:
assume full responsibility for your use of the site and any software or firmware downloaded therefrom. You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted, or later acquired by unauthorized parties,” stated the revised terms.
They aren’t alone, here’s Apples, for example:
APPLE DOES NOT REPRESENT OR GUARANTEE THAT THE SERVICE WILL BE FREE FROM LOSS, CORRUPTION, ATTACK, VIRUSES, INTERFERENCE, HACKING, OR OTHER SECURITY INTRUSION, AND APPLE DISCLAIMS ANY LIABILITY RELATING THERETO.
The difference is, that Apple (and many others) has a large team of security professionals on site, a Bug Bounty Program and respond rather quickly to bug bounty submissions from researchers.
In other words, they take pretty reasonable steps (which are expected by the community) to secure the data of people who use the service.
Vtech hadn’t really tried at all to keep user data secure. One cannot guarantee a service is 100% hack proof, but they can certainly take reasonable measures (which Vtech didn’t) to secure private information.
What’s the legality of this EULA, anyway?
(IANAL) In Australia, a EULA cannot absolve you of all responsibility, especially in instances where a person is harmed by a companies actions or failure to take action, which of course in the event of a privacy breach is clear to see how such harm could take place. This is evidenced by the suite of class action suits for privacy breaches (most of which happen under suppression orders) here in Australia, to many people’s surprise.
Further, many people would be surprised to know that there have been cases (all with suppression orders) in Australia of companies being sued, not just under a violation of the Privacy Act, but under article 12 of the human rights convention, (right to privacy).
I am not implying that this would be the case of Vtech, but there are multiple class actions against Vtech right now in Australia and the rest of the globe over this incident.
If people are affected by a breach in the future, by Vtech or another, don’t feel bullied by the EULA.
In Australia, is a hacked company required to inform their customers?
There is no specific obligation under the Privacy Act to notify affected individuals or the information commissioner in the event of a breach.
It took Catch of the Day 3 years(!) to inform their customers of a breach, and this was not-so-subtly listed as one of the reasons in the draft proposal being circled for a mandatory breach notification scheme here in Australia.
This would obligate companies to inform their customers of a serious breach or loss of their private information, so they could take necessary steps to protect themselves, which is a great step forward.
In other news, Vtech, who couldn’t protect pictures of your children playing and their personal information have launched a new product, it’s a security monitoring system for your house. :\
Listen to this on 2GB here: