December 7, 2015

The Vtech Hack:  COPPA Meets the Internet of Things

“In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected” 

From a FAQ public statement issued on December 3, 2015 by Vtech, a major toy manufacturer.

If you collect and share data relating to children in the United States you must comply with Children’s Online Privacy Protection Act (COPPA), and you should be sure you implement proper cybersecurity best practices.

  • The Vtech Data Breach.  On November 27, children’s toy manufacturer Vtech announced a data breach, and ultimately confirmed that over 6 million profiles of children – including photographs – were hacked.  No company wants to announce a data breach, and the reputational impact is exponentially larger with a toy company holding data relating to children.  Even members of Congress have asked Vtech some difficult questions about what happened.  Beyond reputation, there is compliance risk:  there is a confusing array of data privacy rules in the United States, but the regulations are clear in connection with the collection of data relating to children.  The Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA regulations set forth strict and explicit rules relating to the collection and disclosure of personal information relating to children under the age of 13.  COPPA covers the data collection and sharing features of the Vtech products. With more information being collected in more ways, more and more companies are at risk of the legal and reputational issues that Vtech is now facing.

  • The Big Data Revolution Is Here.  We are in the midst of a data revolution.  Individuals are collecting and sharing personal data in ways they never have before.  Fitness monitors, home thermostats, watches, even toys are now built with sensors that collect personal data and share this information over the internet to service providers.  The potential benefits are incredible – as are the risks of hacking and data breach. The “best practices” applicable to financial and health care data are well known – and enforced by the mosaic of laws and regulations applicable to financial and health information, like the Fair Credit Reporting Act, Gramm-Leach-Bliley, and HIPAA. Outside of the financial and heath care contexts, compliance requirements may seem unclear, and many companies may not give appropriate consideration to the importance of good data hygiene, cybersecurity best practices or appropriate limitations on data collection and data sharing. The risks are particularly relevant as many of these new data collection devices are aimed at children – whether the smart doll, the play computer, or the smart kids watch with web-enabled camera. 
  • COPPA Restricts Data Collection from Children.  COPPA generally prohibits the collection and sharing of personal information relating to children under the age of 13 without the express consent of their parents. The media companies behind children’s music, TV, and gaming are very familiar with the COPPA requirements, and many have built internet presences that require login and prevent prohibited data tracking.  Websites and online services are generally exempt from COPPA if they are not “directed to children”, or if they do not have actual knowledge they are collecting or maintaining personal information from a child, so most “general interest” websites permit various activities that are prohibited on sites targeted at children under 13. However, personal data collected from children is covered by COPPA.  Manufacturers of toys that sense and collect data must design their products and services to comply with COPPA, and operators of services targeted at parents and children should be sure that they collect data only in compliance with COPPA. 
  • Inadequate Data Protection.  Nearly every day there are headlines about data breaches – from Vtech to Target to the White House Personnel Office – and in many cases part of the problem is the lack of appropriate data security measures.  The COPPA rules are explicit regarding the collection of personal information, but commentators have suggested that many companies may not be using cybersecurity “best practices” for the protection of data assets. Companies must know precisely what data is collected and why it is collected.  But they must also tightly manage how these data assets are protected and maintained.  Is data difficult to access?  Is it encrypted?  Is there an appropriate “firewall” to deter outside intruders, and are there appropriate protections to prevent internal mistakes or malfeasance? Cybersecurity practices don’t necessarily distinguish between types of data, but the reputational risks certainly are much larger when dealing with children.  And, a data breach may itself be considered a violation of COPPA, HIPAA, or other applicable data privacy regulations.
  • Some Practical Suggestions
    1. If you are collecting data from or about children, be sure your actions are in compliance with COPPA.   
    2. Participate in voluntary compliance programs like the KidSafe seal program.  These programs provide positive PR and require management to pay attention to how children’s personal information is collected and maintained.  Vtech would likely be better positioned today if they had participated in the KidSafe program. 
    3. Consider whether you really need to collect and maintain certain information, as the best way to avoid a data breach is not to have possession of the information in the first place.
    4. The public relations impact can be difficult to control.  Protect yourself by implementing best practices regarding the collection and security of data assets – this way if there is a breach you will avoid additional negative publicity regarding your failure to implement the cybersecurity best practices common in your industry.  And remember that if a data breach relates to children, there will inevitably be a storm of unwanted negative attention.