Following the data breach of toy maker, VTech, last year, the company is now trying to embed data breach acceptance in its Terms and Conditions. More than 6.3 million children’s accounts were affected by last year’s breach, which gave the perpetrator access to photos and chat logs. VTech’s new terms and conditions state that parents must assume responsibility for future breaches. Security experts from Lieberman software, Blancco Technology Group and ESET have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Pat Clawson, CEO of the Blancco Technology Group :
“When a data breach happens, most companies will make modifications to their Terms and Conditions. But what VTech is doing is a perfect illustration of what companies should not do – putting the burden of responsibility on the users, instead of the company itself. It’s not only a bad business practice, but it’s also taking the implied stance that as a company, VTech doesn’t understand the importance of managing data holistically across the entire lifecycle. Based on the change VTech made to its T&C, I would proffer that the company’s internal IT staff view data in terms of its position within physical assets, such as a website, a computer, a server or a mobile device.
Their entire business model is based on selling their core product – electronic learning toys for children. And parents are the ones with the income to buy VTech products for their children. What parent would feel even remotely comfortable buying a toy from a company that blatantly and unapologetically tells them they shouldn’t have any expectation of privacy? They are going to have a very difficult time scaling their business with these updated terms and conditions.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Jonathan Sander, VP of Product Strategy at Lieberman Software:
“It’s only a matter of time before every online business has T&Cs attempting to limit their liability in the case of cybercrime. This kind of avoidance language is all around us. When you park your car in the city, there’s a sign saying they aren’t responsible if someone steals something. When you leave your valuables in a gym locker, there is a notice that it’s at your own risk. It’s natural that when you put your information into a website or data in the cloud that they will hang up a sign telling you criminals may attempt – and succeed – to take it.
As the money associated with online crime grows both in the form of rewards criminals can reap and premiums insurance firms insuring against those losses, you will see lawyers crafting ever more creative and complex terms to protect their clients from liability associated with data breach. The key is how well they will work to protect you while you use their online service and how well you will protect yourself. The number one piece of advice for people exposing their information online is to read the terms and conditions of that use carefully. Make sure that they are taking reasonable measures to protect it. Or, if you’re not going to sit and read the dozens of pages of legal language, make sure you minimize the exposure of your information. Does this site really need your real date of birth – or just one that says you’re old enough? Do you maintain a few different email addresses so you can use them at different services? Can you use a super complex password unique to this site and just let the browser remember it for you?”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Mark James, Security Specialist at IT Security Firm ESET :
“Every company has a responsibility to protect the data they harvest while you use their products. I agree with VTech that no company can protect 100% against the possibility of being hacked, but taking sufficient precautions and ensuring a good level of security is maintained should be the fundamentals of any policy where users private data is being held.
To shift ownership over to the users is bad enough in it itself but to make it known through walls of text in T&Cs or EULAs is a bad way to do it, no one honestly reads it, especially a parent trying to setup something for their children. Can you imagine telling your 3 year old that they need to wait a little longer while you read, digest and decide if you want to keep the toy based on the terms and conditions?
Our minors’ data should be ultra-important for any organisation and protecting that should be their number one priority. If voting with your feet is the best way to make them understand then maybe that’s the right thing to do. It’s our data but more importantly it’s the data of our possible future leaders that’s at stake here, we must take it very seriously indeed.[/su_note]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.