The recent data breach involving the personal information of millions of children and their parents from VTech Holdings Ltd., a maker of Internet-connected educational toys and apps, highlights the data security challenges faced by companies and consumers as previously offline products join the Internet of Things. Many software companies that grew out of the Internet - like social networks, Internet advertisers, and online educational platforms - have been learning the data security and children's privacy landscape for more than a decade. Manufacturers that have more recently added Internet connectivity to their products, however, have not. Yet they need to ensure compliance with an unfamiliar regulatory and risk environment.
What is known about the VTech breach is still confined to what the company has disclosed in its consumer notices and information the alleged hacker told Vice Motherboard journalists. According to both, an intruder accessed VTech's user database for Learning Lodge, the app store for VTech educational tablets, and Kid Connect, a text, video and photo messaging service that that can be used between VTech tablets or between smartphones and the tablets. The hack accessed children's and their parents' names, email addresses, app store and Kid Connect network passwords, as well as photos of kids and the content of messages they exchanged. Although VTech is headquartered in Hong Kong, approximately close to half of the affected accounts belonged to children and parents in the United States.
The company's description of how the hack was carried out differs from the self-proclaimed hacker's account. Although the company has described the attack as the "well-planned attack" of a "skilled hacker," the hacker told Vice Motherboard that accessing the data was "pretty easy" using a SQL injection attack - one of the most persistently exploited vulnerabilities for attacking websites. According to some experts who have reviewed the data that was accessed, passwords were stored in easily cracked hash values and password reset questions were stored in plaintext.
The aftermath of the breach has followed a largely familiar script that has come to characterize large-scale data breaches: Numerous class actions have been filed, state attorneys general from Illinois and New Jersey have announced investigations, and although it typically does not announce its privacy investigations, the Federal Trade Commission is likely investigating as well. Also familiar is the expansion of the estimated scope of the breach with successive press releases. Although initially estimated to have affected approximately 200,000 children's accounts and 5 million adult accounts, the VTech subsequently increased those estimates substantially to more than 6 million children's accounts and nearly 6 million parent accounts.
Several facts about the VTech breach should serve as a warning to companies that are adding their products to the IoT, especially products with predominantly children users.
First, companies that collect personal information from children under the age of 13 through online services like Kid Connect and Learning Lodge have a statutory obligation under the Children's Online Privacy Protection Act to protect the security and integrity of that information. When the Federal Trade Commission amended the rules implementing COPPA in 2013, it significantly expanded the types of information about children considered to be "personal information" and included images of children and persistent identifiers, like IP addresses. Numerous types of information that were accessed in the VTech breach, including children's names, photos, email addresses and IP addresses, fall within that definition.
Regulators will also likely pry into whether VTech followed COPPA's strict and sometimes byzantine requirements for obtaining verifiable parental consent before VTtech collected personal information from child users who are under the age of 13. The hack of millions of adults' personal information in breach suggests that VTech did collect parents' information, however, its privacy policy states that it did not consider its products or online services as directed to children under the age of 13. Specifically, its policy states in part: "VTech's information collection practices are targeted toward adults. If VTech requires information about a child, the requests for information are directed at the parents, guardians, or adult educators of the child... VTech does not knowingly solicit or collect PII or Registration Data online directly from children.
Regulators are likely to challenge this position. Although the COPPA does not precisely define when a service is directed to children, regulators will look to the totality of how the service is marketed and its intended users. Simply stating that a service is not directed to children is not determinative.
Although individuals cannot bring a lawsuit for COPPA violations, the FTC and state attorneys general have been increasingly aggressive in bringing enforcement actions under the law. If the FTC or state attorneys general determine that VTech failed to protect the security of children's personal information, the company could face penalties up to $16,000 per violation. Because such penalties would prove catastrophic even when the number of violations is in the thousands, regulators have enormous negotiating leverage in forcing a company to settle on the regulators' terms, which include the payment of significant penalties.
The VTech breach also highlights the importance for companies that are adding Internet connectivity and data collection features to traditionally offline products like toys and consumer electronics. VTech has been in the consumer electronics and electronic learning product business for nearly forty years but is a more recent entrant into operating online services. As companies increasingly add products ranging from toys to ovens to wearable sensors to the IoT, it will be paramount for them to understand the types of data they are collecting, measures they can take to protect the security of the data and the devices, and communicating that information accurately and understandably to consumers.
Originally published in the Daily Journal on December 24, 2015.