VTech says parents are responsible for hacks

Electronic toys maker VTech has recently been a victim of a cyber-attack, which has seen the data of more than 6.3 million children exposed. The hackers got access to chat logs and photos.

Following the breach, VTech has updated its End User License Agreement, saying the company can’t provide a 100 per cent guarantee that it won't be hacked. It also shifts the responsibility back to the parents:

"You acknowledge and agree that you assume full responsibility for your use of the site and any software or firmware downloaded.

"You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties.

"You acknowledge and agree that your use of the site and any software or firmware downloaded there from is at your own risk."

Commenting on the move, security expert Jonathan Lieberman, VP of Product Strategy at Lieberman Software says:

“It’s only a matter of time before every online business has T&Cs attempting to limit their liability in the case of cybercrime. This kind of avoidance language is all around us. When you park your car in the city, there’s a sign saying they aren’t responsible if someone steals something. When you leave your valuables in a gym locker, there is a notice that it’s at your own risk. It’s natural that when you put your information into a website or data in the cloud that they will hang up a sign telling you criminals may attempt – and succeed – to take it.”

Minimise exposure

“As the money associated with online crime grows both in the form of rewards criminals can reap and premiums insurance firms insuring against those losses, you will see lawyers crafting ever more creative and complex terms to protect their clients from liability associated with data breach. The key is how well they will work to protect you while you use their online service and how well you will protect yourself.”

He advises parents to read the terms and conditions carefully, and see if the company is taking reasonable measures to protect the data. If you can’t sit through countless pages of legal language, limit the exposure of your information.

Mark James, Security Specialist at ESET said:

“Every company has a responsibility to protect the data they harvest while you use their products. I agree with VTech that no company can protect 100% against the possibility of being hacked, but taking sufficient precautions and ensuring a good level of security is maintained should be the fundamentals of any policy where user’s private data is being held.

Wrong move

To shift ownership over to the users is bad enough in it itself but to make it known through walls of text in T&Cs or EULAs is a bad way to do it, no one honestly reads it, especially a parent trying to setup something for their children. Can you imagine telling your 3-year-old that they need to wait a little longer while you read, digest and decide if you want to keep the toy based on the terms and conditions?

Our minors’ data should be ultra-important for any organisation and protecting that should be their number one priority. If voting with your feet is the best way to make them understand then maybe that’s the right thing to do. It’s our data but more importantly it’s the data of our possible future leaders that’s at stake here, we must take it very seriously indeed.”