To the annals of "corporate responsibility," add this gem: Hong Kong toymaker VTech has revised its end-user license agreement to make clear that it can't be held legally responsible for any data breaches. The move follows a high-profile hack of its "connected" toy services that earned the company fourth place on our Top 10 Data Breach Influencers list for 2016 - and not for good reasons (see Why VTech Breach is So Bad - and So Avoidable).
See Also: 2016 State of Threat Intelligence Study
The breach also left VTech with an image problem: Why should consumers trust a company that sells Internet-connected toys - and more recently home automation and security systems - if the business can't even keep children's profiles and chat messages with their parents safe from a hack?
"No company that operates online can provide a 100 percent guarantee that it won't be hacked."
Yet VTech's latest response looks almost laughably flat-footed: It's rewritten the 2,400-word terms and conditions that govern its products - and, let's be frank, which few people read. As Vice first reported, the revised T&C's "limitation of liability" subsection now includes such language as: "You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties."
Responding to VTech's latest move, Australian information security expert Troy Hunt says it shows the company failing to step up to its responsibilities, including where children's data is concerned. Furthermore, he argues, consumers must be able to trust businesses to keep their data secure.
"Look, I'm the first person to acknowledge that there are very few absolutes in security and there always remains some sliver of a risk that things will go wrong, but even then, you, as the organization involved, have to take responsibility," Hunt says in a blog post. "If they honestly don't feel they're up to the task of protecting personal information, then perhaps put that on the box and allow consumers to consciously take their chances rather than implicitly opting into the 'zero accountability' clause."
'Skilled Hacker' Breached Toymaker
What rankles, of course, is that VTech's move comes in the wake of it suffering a serious November 2015 breach. The company says databases for its Learning Lodge, Kid Connect bulletin boards and PlanetVTech website databases were compromised, resulting in the exposure of 7 million kids' profiles and 5 million parents' profiles, including photos and chat logs. About 1.2 million of those kids also had a service called Kid Connect enabled, which allows them to chat with parents via their toys. VTech has blamed the breach on "a skilled hacker," noting that a related police investigation continues. So far, that investigation has resulted in the arrest of one man by British police (see VTech Breach Suspect Arrested).
VTech recently announced that on Jan. 23 it restored its Learning Lodge online service and related app store, which had remained offline following it learning of the Nov. 14, 2015, attack. VTech says its bulletin boards will be reopened later, but that its PlanetVTech site will not.
VTech is now defending the change to its terms and conditions, with spokeswoman Grace Pang noting that while it's "worked hard" to improve security since the breach, "no company that operates online can provide a 100 percent guarantee that it won't be hacked."
She adds: "The Learning Lodge terms and conditions, like the T&Cs for many online sites and services, simply recognize that fact by limiting the company's liability for the acts of third parties such as hackers," noting that "such limitations are commonplace on the Web."
Time for a Boycott?
But multiple security experts continue to question the company's move, noting that VTech was hardly suggesting before its breach that it was 100 percent hack-proof (see Why "Smart" Devices May Not Be Secure). "If VTech thinks that those T&Cs are the answer to their problems, I think they should be given a bigger problem to deal with," Ken Munro, a partner at penetration testing firm Pen Test Partners, tells the BBC. "Boycott them and take your money somewhere else."
Callum Murray, head of commercial technology at law firm Kemp Little, also tells the BBC that VTech's move is legally questionable. "It's unusual to see these terms in consumer contracts, and it's questionable if they would be enforceable," he says.
But is VTech's legalese move "commonplace," as the company suggests? "I don't see this as any different than any other CYA language in response to FTC [U.S. Federal Trade Commission] enforcement actions or lawsuits," the privacy-rights blogger known as Dissent tells me via Twitter (see LifeLock Settles FTC Case for $100 Million).
I really don't get the brouhaha over vTech changing their T&C. So many other companies have already done the same thing over the past 1+ yr.ï¿½ Dissent Doe (@PogoWasRight) February 10, 2016
If VTech's attempt to legally absolve itself from hack attacks is the legal norm, what does that say about the state of our information security, and the security of "smart" products marketed in particular to children?
Enter the EU
Thankfully, help is on the way, at least for Europeans, in the form of the EU's General Data Protection Regulation - GDPR - which is scheduled to take effect in two years. "As of spring 2018 any organization trading in any EU member state - that'll include you, VTech - that collects personal data is legally obliged to properly protect that data," Munro says in a blog post, noting that personal data means any information that could be used to identify a person, including location data, IP addresses and not limited to names. Compliance with the new EU law will be mandatory, and backed by penalties of up to 20 million euros ($22.7 million) or up to 4 percent of a company's annual worldwide profits for the preceding year - whichever is greater.
"VTech, you have two years to get your house in order," Munro says.
This story has been updated to include additional commentary from Munro.