IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Data regulator casts doubt on new VTech T&Cs

Hacked VTech changes terms of use to leave parents responsible for data breaches

Single red open padlock amongst many blue closed padlocks in rows

The Information Commissioner's Office (ICO) has cast doubt on the legality of new terms and conditions introduced by VTech that, it is claimed, leave parents responsible for any future data breaches.

VTech's database was hacked last November, exposing five million customers' accounts to hackers, including around 200,000 children's names, genders and dates of birth.

Security expert Troy Hunt revealed on his blog this week that VTech subsequently changed its T&Cs in December to deny any responsibility for future hacks.

They now read: "You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties."

But Hunt said in his blog: "There are very few absolutes in security and there always remains some sliver of a risk that things will go wrong but even then, you, as the organisation involved, have to take responsibility."

VTech tried to defend its dramatic shift in policy by saying that no company can guarantee it will not fall victim to a hack, but, asked by IT Pro whether VTech's new terms were in accordance with UK data protection legislation, the ICO said: "The law is clear that it is organisations handling people's personal data that are responsible for keeping that data secure."

Industry experts have also panned VTech's response to the hack, with independent computer security analyst, Graham Cluley, saying the company's attitude is: "Sod the kids' privacy and security, the lawyers have covered our arse."

He told IT Pro: "We all understand that companies can suffer hacks. What's important is how an organisation responds to such incidents.

"Do they treat it as a call to improve things and make security a central part of their make-up, do they act openly and transparently to reassure their customers, or do they call in the lawyers to cover their butts for when they inevitably suffer from another security scare?"

Security firm ESET's specialist, Mark James, added that by burying the new policy in its T&Cs which were only discovered this week VTech is doing parents a disservice.

"To shift ownership over to the users is bad enough in it itself but to make it known through walls of text in T&Cs or EULAs is a bad way to do it, no one honestly reads it, especially a parent trying to set up something for their children," he said.

Hunt added: "VTech (or anyone else for that matter) cannot simply just absolve themselves of that responsibility in their terms and conditions. People don't even read these things!"

Both Cluley and James believe parents will buy elsewhere, rather than risk their children's privacy.

"VTech has made its choice.  Savvy parents will makes theirs as well," Cluley said. 

James added: "Our minors' data should be ultra-important for any organisation and protecting that should be their number one priority. If voting with your feet is the best way to make them understand then maybe that's the right thing to do."

IT Pro has approached VTech for comment, but had not received a response at the time of publication.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022