Web-Connected Toy Maker Shakes Off Data Breach Class Claims

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Consumers failed to convince a federal court that statements on packaging materials for an internet-connected children’s toy created data security contractual obligations ( In re VTech Data Breach Litig. , 2017 BL 231910, N.D. Ill., No. 15 CV 10889, 7/5/17 ).

The U.S. District Court for the Northern District of Illinois July 5 dismissed class claims that a VTech Electronics North America LLC affiliate should be contractually liable for a data breach that compromised the personal data of 4.8 million adults and 6.3 million children. The statements that were advertised on the toys’ packaging aren’t parts of a single contract that covers both the advertising and the toys, Judge Manish S. Shah ruled.

According to the plaintiff’s complaint, VTech sells many products that use applications and programs downloaded from the internet. To use these features, VTech required consumers to provide personal information about themselves and their children. The plaintiffs alleged that due to VTech’s inadequate security, a hacker was able to steal plaintiffs’ information stored on the company’s servers.

“Because plaintiffs did not enter into an online services contract at the time of purchase, the complaint does not plausibly allege that VTech breached a contractual obligation to provide those services,” the court held.

Shah has been a Northern District of Illinois Judge since May 2014, and has since granted approximately 45 percent of motions to dismiss in his cases, according to Bloomberg Law Litigation Analytics.

VTech’s parent company, VTech Holdings Ltd., is the 41st largest consumer electronics company in the world, with a $3.85 billion market capitalization, Bloomberg data show. VTech Holdings was previously named in the suit but was terminated as a party in April 2016.

Conflicts, ‘Nonsensical’ Distinctions

Attorneys, however, questioned the court’s reasoning in making a distinction between physical toys and advertisements on packaging for companion online features, such as programs that can be downloaded on a toy tablet.

Allison Fitzpatrick, an advertising and marketing partner at Davis & Gilbert LLP in New York, said the court’s decision “seems at odds” with the federal Children’s Online Privacy Protection Act (COPPA).

The Federal Trade Commission, which enforces COPPA, “recently announced updated guidance for businesses regarding COPPA compliance to reflect developments in the marketplace, specifically identifying internet-connected toys and other devices for children,” Fitzpatrick told Bloomberg BNA. “According to the FTC, COPPA applies not only to websites and mobile apps but can apply to connected toys and other products intended for children that collect personal information, like voice recordings or geolocation data, from children,” she said.

Fitzpatrick said the FTC would “likely take the position that the privacy policy is integral and essential to a connected toy and therefore it would govern the privacy practices of that interactive toy.” The court, however, distinguished registration for online services as a “separate and distinct event, unrelated to the purchase of the toys.”

Warren Stramiello, a computer scientist and counsel focusing on computer security and privacy law at Gallo LLP in San Rafael, Calif., said that the court’s distinction between toys and their online ecosystem “may make sense for some products” but is “nonsensical for products like the VTech devices.”

Stramiello told Bloomberg BNA that “much like an iPod purchaser is paying for an iPod plus access to the iTunes ecosystem, a VTech purchaser is paying for the VTech device plus the VTech online ecosystem.” If that ecosystem isn’t available or is “unreasonably insecure, the purchaser is paying an artificially, and possibly fraudulently, inflated price,” he said.

Increased Scrutiny?

According to Fitzpatrick, “as the internet of things develops, online terms will likely become more essential and integral to connected toys and other children’s devices.”

Fitzpatrick noted that the court seemed to have diverged from COPPA by finding “insufficient harm to confer standing even though the hackers were able to access children’s names, birth dates, photographs and the content of their messages.” Congress enacted COPPA to protect children’s personal information that “could be used to contact them online.”

Fitzpatrick said “the fact that 6.3 million children’s personal profiles were at risk would concern many regulators.” She predicted that “breaches involving children will likely receive greater scrutiny from regulators and lawmakers seeking to protect this vulnerable group.”

Stephan, Zouras LLP; Hinton Law Firm; Morgan & Morgan Complex Litigation Group; Rosen Law Firm PA; Abbott Law Group PA; Wexler Wallace LLP; Heffner Hurst; Keller Rohrback LLP; and Lieff Cabraser Heimann & Bernstein LLP represented the plaintiffs. Steptoe & Johnson LLP represented VTech.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Full text of the court's opinion is available at http://src.bna.com/qvZ

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security