VTech’s Hacked Toys: How Not to Rebuild Your Reputation After a Cyber Attack

Anything can be hacked. Even toys. Toy manufacturer VTech found this out the hard way late last year when its network for children’s tablets was hacked. Most unnervingly, this included photographs and voice recordings of children playing with the device. The perpetrator of the hack allegedly carried out the attack to teach the company a lesson about cybersecurity and hope that it straightens up.
At least it should have learned something anyway. The attack showed that the company was securing its data with outdated protocols and FireEye was hired to clean the mess up. And in the last few weeks, VTech’s ugly brush was bad publicity seemed to have died down until it emerged that the company had made some unflattering changes to its terms and conditions for European customers.
Crucially, the company attempted to absolve itself of any blame or responsibility for its customers’ data. It stated: “You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.
“Use of the site and any software or firmware downloaded therefrom is at your own risk.”
VTech appeared to be covering its tracks in case anything ever went wrong in the future. A spokesperson for Vtech said that the updates are “limiting the company’s liability for the acts of third parties such as hackers … Such limitations are commonplace on the web.”
Unfortunately for the company, that doesn’t look like it’s going to fly with lawyers wading into the debate over liability. One lawyer said that language like this in terms and conditions can be used to discourage customers from taking legal action but that is not the true.
“[U]nder European and UK law the obligation is on the company in control of the data to take appropriate steps to protect the information from unauthorized disclosure or access,” he said. “Even if VTech did try and argue that people were contractually prohibited from bringing a claim, it is a difficult position for the firm to take.”
The UK’s information commissioner agrees. Its office came down hard on VTech this week for its shrewd update to the terms and conditions as well, stating that company would very much remain responsible for the data, at least in the UK.