VTech, a British toymaker with 6.3 million children’s accounts, was hacked giving its hackers access to photos and chat logs of children. It has recently emerged that the toymaker has since changed its terms and conditions stating that parents must assume responsibility for future breaches, sparking outrage amongst parents.
VTech makes educational toys and gadgets for children under 9 years old, sells home monitoring products including baby cameras, and runs an online service called Learning Lodge that allows children to download games and lessons. In December 2015, Learning Lodge was hacked with the details of 2.2 million parents and 2.9 million children, such as names and addresses (which are unequivocally regarded as personal data across the European Economic Area), stolen. The hacker also claimed to have taken thousands of photos and chat logs.
The Learning Lodge service was disabled for two months after the hack but was active online again from early February this year.
The new terms and conditions read:
"You acknowledge and agree that you assume full responsibility for your use of the site and any software or firmware downloaded.
"You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties.
"You acknowledge and agree that your use of the site and any software or firmware downloaded there from is at your own risk."
"Recognising such, you understand and agree that neither VTech nor [its partners] or employees will be liable to you for any damages of any kind."
The BBC reported that VTech defended its decision to shift responsibility onto parents stating:
"No company that operates online can provide a 100% guarantee that it won't be hacked. The Learning Lodge terms and conditions, like the T&Cs for many online sites and services, simply recognise that fact by limiting the company's liability for the acts of third parties such as hackers. Such limitations are commonplace on the web."
Some security specialists, however, including Troy Hunt, a security developer at Microsoft, have reportedly condemned Vtech’s attempts to “absolve themselves of that responsibility in their terms and conditions," whilst data security company Blancco has taken this as a demonstration that the company "doesn't understand the importance of managing data". Presumably, according to these commentators, whilst no company can categorically undertake to prevent or be immune from a breach, the VTech statement purports to absolve itself from any responsibility for a breach, something which is not only contrary to the Data Protection Directive 94/46/EC (and the relevant local enabling legislation across the EEA), but also the provisions of the Draft General Data Protection Regulation. It appears to be of particular concern that this position would be taken by a manufacturer such as VTech, which has a significant market share, and holds personal data of children, a class of persons specifically addressed by the General Data Protection Regulation (admittedly still in draft form but reflective of market sentiment).