VTech, the Hong Kong based maker of kids toys, among other items (like phones), has a truly novel solution to the whole cyber security problem. I am not sure why no one has come up with this as a solution before.
As a reminder, VTech announced a breach in November of last year of their Internet connected kids toys. The toy maker encourages kids to sign up at VTech’s online properties and download apps and socially engage with other VTech (children) customers. Since they are under 13, their parents have to be involved as well.
The result was that about 7 million kids had their information compromised as well as millions of adults. Information taken includes names and addresses as well as secret questions (which are likely reused at other sites and tied to that person’s name and address), kids birth dates and other information.
So what is their novel answer?
Change the terms and conditions that no one reads to say that you acknowledge that information that you give them may not be secure and may be “acquired” by hackers.
Needless to say, this doesn’t solve any problem and likely doesn’t protect VTech, but more about that later.
What this does do for VTech is give them lots of media attention along with suggestions that parents don’t buy their products. Certainly, there is some truth to the statement that voting with your pocketbook is something that companies understand.
One thing for them to consider. There are laws in many countries, including the U.S., that require companies that collect non public personal information to protect it. Adding a sentence to your user agreement does not absolve you from liability under those laws.
Also, the E.U.’s General Data Protection Regulation, recently approved and coming into force in early 2018 , has a strong incentive for VTech to NOT use this strategy. Penalties under the GDPR for failing to protect consumer’s information including things like location data and IP address is up to 20 million Euros or 4% of a company’s annual revenue, whichever is GREATER.
So companies that think that changing their terms is a solution to their cyber security problems probably should reconsider that.