VTech's clever defence against data breaches - shift liability to the customer
In one of the most bizarre developments in computer security, Chinese toy maker VTech thinks it has invented the perfect solution to the expensive business hazard of data breaches – make them the end user’s problem, not the company’s, using a defensive shield made out of nothing more technical than words.
Only days ago, a sharp-eyed security researcher noticed something extraordinary in paragraph 7 of the company’s latest Terms & Conditions for anyone accessing the Learning Lodge online app store that can be used with its toy products:
“You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties. You acknowledge and agree that your use of the site and any software or firmware downloaded therefrom is at your own risk.
“Recognising such, you understand and agree that, to the fullest extent permitted by applicable law, neither VTech or its suppliers […] will be liable to you for any direct, indirect, incidental, special, consequential, punitive, exemplary or other damages of any kind…”
On the face of it, should the site be breached in the future and customer data stolen, the legal liability for this will rest not with the company that failed to secure it, VTech, but the end user. Caveat emptor.
End User License Agreements (EULAs) have long been used by software companies to limit liability for software problems, including those which create security holes but on the face of it VTech is trying to extend this principle to include data loss. Legally, the issue here is liability not moral fault. The T&Cs appear to be trying to shft the liability to the customer because they agreed to use a product in a universe in which their data might be stolen from VTech.
Why is VTech doing this?
On 14 November 2015, toy maker VTech suffered a serious data breach that compromised the personal details of 11.6 million customers, 6.4 million of whom were children. Unencrypted data lost included names, addresses, email addresses, download history and secret security questions. Account passwords had been encrypted but so weakly using the inadequate MD5 hash.
The company suspended the trading of its shares on the Hong Kong Stock Exchange, a drastic and unusual move that underlined the seriousness of events. In an era of almost routine data breaches, the poor security left the firm looking unusually incompetent, complacent and foolish.
Is the move sound?
It is important to distinguish between a company’s legal responsibility to its customers and a company’s responsibilities to local information and regulatory authorities. In both cases, laws vary by country but in the UK the recompense that must be given to end users in the event of a data breach unless are surprisingly vague. As for the UK ICO, it can fine companies up to £500,000 (about $750,000) for breaches of the Data Protection Act (DPA) but rarely does so. Users can always try their luck under civil law, assuming they have plenty of money to fund such a thing.
Overwhelmingly, the financial harm to a breached company comes from any remedial work it has to carry out to alert users, reset accounts, track the source of the breach and put in place new security or credit checking should financial data be lost in countries that require such recompense such as the US.
And the EU General Data Protection Regulation?
In future, this would cause VTech serious problems because the maximum fine for a breach would rise from hundreds of thousands of pounds under national laws to tens of millions. The revised T&Cs make no odds here because the GDPR is an EU-wide legal framework for data protection that isn’t affected by what individuals agree or don’t agree to in such documents. Individually, users would also have the right to ask VTech to remove their data from its database. Failure to do that could increase fines.
Can end users protect themselves?
If they buy the company’s toys then in terms of absoute certainty the only defence is not to use its online services. On the basis of such T&Cs, we suggest it is no longer worth it.
What precedent does this set?
Probably none whatsoever although some will see the action as changing the atmosphere around breaches. On top of the bad publicity after the November data breach, VTech will not get more bad publicity for attempting to shift liability away from itself for security that only it can possibly assess.
The Internet of (insecure) Things
This is where it gets more interesting and troubling. Like a lot of firms that have a foot in tech, VTech fancies itself as a future player in the home security and Internet of Things market, one which depends on competent security surely. It's hard to imagine informed consumers and businesses installing a security system made by a firm that uses these sorts of T&Cs to protect itself. The move communicates the wrong set of values, as if the company doesn’t see any moral obligation to secure the technology it sells.
What does the industry think?
Overwhelming incredulity, starting with the researcher who verified the scale and incompetence of the original November 2015 breach, Troy Hunt.
“The bigger picture here is that companies are building grossly negligent software and then simply not being held accountable when it all goes wrong,” Hunt wrote on VTech’s new T&Cs on 9 February.
Varonis vice president of strategy David Gibson told Computerworld UK by email: “protecting customer, partner and employee data is a business requirement. It’s possible that VTECH may have run afoul of the US’s COPPA [Children's Online Privacy Protection] laws for protecting children’s data. The larger point is that consumers should expect reasonable data security without having to be personally liable.”
Javvad Malik, security advocate at AlienVault:
“This is a bad stance for a company to take. It’s trying to take a completely zero accountability approach to a product they are selling. On top of that, it could potentially set a terrible precedent for other technology companies.
"In today’s digital age, personal data is in some ways worth as much as currency. Imagine if the banks turned around and stated in their terms and conditions that by placing money with them, you lose any expectation that the money will be kept safe because bank robbers may loot the vault. I really hope VTech takes a look at their statement and the data they hold and reconsiders their position on the matter.”
VTech shifts data breach liability to customers - the bottom line
In computer security moral hazard always lies with the maker not the consumer, no matter what the law demands. VTech needs to understand that security tech products is about reputation and not simply legality.