On January 8, 2018, VTech Electronics Limited (VTech) agreed to settle charges brought by the Federal Trade Commission (FTC) that the company violated U.S. children’s privacy law. As part of the settlement, VTech agreed to pay a $650,000 civil penalty, refrain from further violation of the law, and implement a comprehensive data security compliance program. This is the FTC’s first children’s privacy case involving internet-connected toys, but as we have highlighted in our previous blog on the topic, the FTC is aware of the privacy issues related to these types of toys and will surely pursue more of these cases in the future. Therefore, examining this case will be useful for COPPA-covered companies.
In the VTech complaint, the FTC alleged that the Kid Connect app used with VTech toys collected personal information of children without either providing direct notice to parents or obtaining verifiable consent from parents, concerning VTech’s information collection practices. Direct notice or verifiable consent is required by the Children’s Online Privacy Protection Act (COPPA). The FTC further alleged that VTech failed to use reasonable and appropriate data security measures to protect the personal information it gathered. Specifically, the company did not take steps such as implementing an intrusion prevention or detection system to alert it to unauthorized access. These violations came to light during the FTC’s investigation into a 2015 data breach of VTech’s system that exposed the personal data of parents and children using the Kid Connect app.
As is common in FTC cases, the settlement with VTech involves both a monetary judgment and corrective tasks. First, VTech is required to pay a $650,000 civil penalty to the United States government. In addition, VTech is permanently prohibited from violating COPPA and from misrepresenting its security and privacy practices. VTech also must implement a comprehensive data security program that will be subject to independent audits for the next twenty years.
6 Lessons For Internet-Connected Toy Businesses About Data Security Compliance
Companies can learn from the mistakes made by VTech to ensure they do not encounter similar problems in the future. The FTC highlighted these mistakes, and the corresponding lessons to learn from them as follows:
- The complaint alleges that VTech failed to develop, implement, and maintain a comprehensive information security program. Maintaining an information security program is an ongoing process. It is not something that you complete and forget about. The program must be reviewed and updated on a regular basis.
- The complaint alleges that VTech failed to implement adequate measures to segment and protect its live website from the test environment. The FTC addressed this issue in their Start with Security and Stick with Security initiatives. Companies should always strive to implement effective network segmentation.
- The complaint alleges that VTech failed to have an intrusion detection system. Companies should implement an intrusion detection system to promptly detect and respond to threats. The FTC has routinely suggested that companies implement such a system.
- The complaint alleges that VTech failed to monitor unauthorized attempts to exfiltrate personal information. Monitoring your system is a crucial component of protecting personal information. Having the knowledge that someone is trying to remove large amounts of data from your system should ensure that you take steps necessary to protect that data.
- The complaint alleges that VTech failed to complete vulnerability and penetration testing to see how its network could stand up to well-known vulnerabilities like SQL injection. The FTC suggested that companies used vulnerability and penetration testing in its Start with Start with Security and Stick with Security guides to protect sensitive data. Testing your systems will allow you to address vulnerabilities before you suffer a data breach.
- The complaint alleges that VTech failed to implement reasonable guidance or training for its employees. Training your employees regarding proper data security is one of the most important steps that an business can take to protect sensitive data.
Additionally, as we wrote back in July, the FTC has provided a 6-Step COPPA Compliance Plan that all COPPA-covered businesses should consult.
The case against VTech was the first of its kind for the FTC, but certainly won’t be its last. Companies that are subject to the requirements of COPPA should learn from this case to better position themselves for the future. If you have any questions regarding COPPA compliance, or any data privacy and security matter, please contact Tim Hayes, data privacy and security attorney at McKenna Storer.
If you found this information helpful, you may also find other helpful Privacy and Data Security articles by our attorneys.