Electronic Toy Maker Settles with FTC; Agency Continues to Assert Itself on IoT
On January 8, 2018, the Federal Trade Commission (FTC or Commission) announced the settlement of its enforcement action against VTech Electronics and its U.S. subsidiaries (VTech) for violations of the FTC Act and Children’s Online Privacy Protection Act (COPPA) in connection with internet-connected toys. The action, similar to a previous case involving baby monitors, shows that IoT device makers may be at risk of regulatory enforcement, especially where the privacy of children is involved. It also reflects a commitment by the agency’s Acting Chief Technologist Neil Chilson to be engaged in all aspects of innovation.
VTech develops products and services—including portable devices known as “electronic learning products”—that market online games to children between ages three and nine. On these devices, VTech operates an online service called Learning Lodge Navigator, which, similar to an app store, allows customers to download child-directed apps, games, e-books, and other content. One of the apps, Kid Connect, allows children to communicate with other children who have the app, or with adults who download the adult version of the app.
In November 2015, VTech learned that a hacker had accessed its computer network and exfiltrated consumer information, including personal information about the children who used Kid Connect. The hacker remotely accessed VTech’s test and live environments, where VTech stored in clear text, among other things, parents’ full names, mailing addresses, e-mail addresses, secret questions, and children’s usernames. The hacker also accessed a database that included decryption keys for audio files and photos created by children that contain their voices and images.
In its complaint, the FTC alleged that VTech failed to take reasonable and appropriate data security measures in hosting Kid Connect. Specifically, the FTC alleged that VTech failed to:
- Develop, implement, or maintain a comprehensive information security program;
- Implement adequate safeguards and security measures to segment and protect VTech’s live website environment;
- Implement an intrusion, prevention, detection system, or similar safeguards to alert VTech of potentially unauthorized access to its network;
- Implement a tool to monitor for unauthorized attempts to exfiltrate consumers’ personal information across network boundaries;
- Complete its vulnerability and penetration testing of environments that could be exploited to gain unauthorized access to consumers’ personal information for well-known and reasonably foreseeable vulnerabilities; and
- Implement reasonable guidance or training for employees regarding data security and safeguarding consumers’ personal information.
The FTC also alleged that VTech failed to provide direct notice of its information collection and use policies. Additionally, it found that Kid Connect, in collecting the personal information of hundreds of thousands of children, failed to provide direct notice to parents or obtain verifiable consent from parents concerning its information collection practices, as required under COPPA.
The settlement comes after a two-year investigation into the data breach. As part of the settlement, VTech will pay $650,000 and implement a comprehensive data security program, which will be subject to independent audits for 20 years.
In a press release, VTech stressed that it has not admitted any violations of law or liability as part of the settlement. The company said that it updated its data security policy and “adopted rigorous measures” to strengthen its protection of consumer data.
This enforcement action shows that federal regulators are continuing to take an aggressive role in criticizing the private sector after a data breach for inadequate cybersecurity standards. Certainly, the sensitivity of the data involved—private information about children—caused increased scrutiny. The private sector, in particular IoT device makers that collect sensitive data, should continue to be prepared for regulatory oversight should that data be compromised.