In the wake of a massive user data breach that exposed parents and their children, Hong Kong-based toy manufacturer VTech has come under scrutiny for changes to its security policy documents. The new stance goes against the basic principles of data protection law in the UK, according to renowned global legal outfit Cooley LLP.
Extreme changes to VTech's End User Licence Agreement (EULA) effectively shifted the liability of any future data breach directly onto its customers by making all users agree to assume full responsibility for using its software.
"You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties. You acknowledge and agree that your use of the site and any software or firmware downloaded therefrom is at your own risk," the updated terms state.
This stance, according to the legal experts, does not comply with UK law. "Apart from being a bit mean, it goes against the basic principles of data protection and consumer law in the UK," wrote Cooley LLP in a statement. "The Data Protection Directive places obligations on the data controllers and processors to take appropriate steps to protect the information from unauthorised disclosure or access, the burden is not on the data subject.
"Organisations need to take care when drafting EULA and similar terms; blanket exclusions of liability which place unfair burdens on the consumer are likely to be seen as illegal and unenforceable and could have serious repercussions."
The toy company in question was hit with a major data breach in November 2015 that resulted in more than six million personal accounts of parents and children being compromised. The hackers were able to easily gain access to chat logs, audio files and even stored photographs from an internal database.
GDPR rapidly incoming
Furthemore, with the updated General Data Protection Regulation (GDPR) on the horizon, firms like VTech will soon have a financial incentive for protecting customer details as failure to do so will result in heavy penalties.
"It is unclear whether there will be formal consequences for VTech, but if they do not change the wording, they could come under further scrutiny," warned the law firm.
"Currently, the Information Commissioners Office (ICO) can impose limited fines. However, under the upcoming General Data Protection Regulation, the maximum fine for a breach of data protection law would rise to up to 4% of a company's worldwide turnover."
The EU-backed GDPR achieved final approval in January this year after a significant two-year drafting process and will enforce changes regarding data breach notification times, privacy rules for business and, most controversially, the structure of how much infringements will cost. The law takes full effect in 2017, giving firms until then to bulk up security and ensure they can meet the demanded requirements.