Parents v. Tech: We Promise We Can’t Keep Your Kid’s Data Safe


When a data breach happens, most companies send an apologetic e-mail that begins something like, “We deeply regret the exposure of your personal information …“ and promise to do better.

Less common are companies that tell customers that, in the future, they’re essentially on their own.

Yet that’s exactly what a Hong Kong-based toymaker did.

Last November, VTech Holdings Ltd. was targeted by a data breach that affected approximately 5 million customer accounts—and children’s profiles. Hackers were able to access names, ages, genders and even pictures of children from the company’s “Learning Lodge” application store, where customers download apps, e-books and other content for VTech's products.

The following month, on the day before Christmas, VTech updated its terms and conditions to put customers on notice, according to Australian cybersecurity specialist Troy Hunt.  The updated “Limitation of Liability” section states: “YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES.” 

VTech did recognize some limitations to that limitation, however. It said “some of the above limitations may not apply” in jurisdictions that don’t allow the exclusion of certain warranties or limitation of exclusion of liability for incidental or consequential damages.

Whatever approach companies take on the issue of protecting consumer data, government officials aren’t likely to stand by. According to Allison Fitzpatrick, a partner at Davis & Gilbert LLP, congressional statements in response to the VTech hack indicate that, “breaches involving children’s data will likely receive greater scrutiny from regulators and lawmakers seeking to protect this vulnerable group.”

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.