Electronic toy maker VTech’s zero accountability clause puts onus for hacks on parents

[Charlize, 8, and Jaime, 5, play with the Kidizoom Multimedia Digital Camera made by V-Tech on October 28, 2009 in London, England. / Getty Images]

Electronic educational toy maker VTech is facing some flack after it responded to a data breach by updating its terms and conditions to say it isn’t responsible for hacks and security breaches.

The move follows a November leak which saw hackers gaining access to 10 million of the Hong Kong-based company’s customer accounts – including 237,000 Canadian adults and 316,000 Canadian children.

The updated terms and conditions, changed in December, read: “You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.”

Jean-Philippe Vergne an assistant professor of general management at Western University’s Ivey School of Business who has been following closely since the leak, says despite the criticism and calls to boycott, the statement is in fact true.

“Any company could write that down in their terms and conditions because it is basically the case today – no digital communication network is a hundred per cent secure and it will never be,” he says. “The part that’s problematic is the fact that something like this has rarely been stated by a company in this context.”

The wider context being that the hack, the largest ever known targeting kids, contained customer names, email addresses, passwords, IP addresses, mailing addresses and download histories as well as kids’ profile information, including names, genders and dates of birth plus, in some cases, head shots and chat logs between kids and parents.

Vergne points out that online exchanges of videos, images and text are core to the company’s business model.

“Yet the most basic security measures were not taken by the company,” says Vergne adding that if they were taking all the required safety measures and issued this statement it would be a different story. “But the broader context tells us something different, it tells us, ‘we never really cared about that, and this is not going to change and we can shift legal responsibility, legal reliability to our customers instead of taking responsibility for our own business.’ ”

Patrick Hung, associate professor of information security at the University of Ontario Institute of Technology, says the collection of data through toys and apps geared towards children presents a growing challenge.

“In Canada we have a very restrictive and well defined privacy act for the healthcare domain. In the toy industry, they see all those safeguards and guidelines and they only talk about the safety of a toy,” he says adding that those guidelines haven’t caught up to the information collecting aspect.

While Hung admits it is just speculation, he says a consumer organization or plaintiff may be able to argue that the onus is on VTech to ensure the information is protected.

In a sense, the company, which has built its business around education, has missed an opportunity here.

“Following the hack, they should have published educational material about the baby steps every parent should be aware of regarding communicating securely on the Internet,” says Vergne. The biggest protection measures, of course, includes creating stronger passwords with numbers and special characters and ensuring anytime you exchange secure information you look for the little lock icon in the address bar to verify it will be encrypted.

“I think that would have been a much more responsible response strategy and also very much in line with their reason to be as an educational company,” says Vergne.