VTech settlement cautions companies to keep COPPA-covered data secure

Share This Page

We can’t guarantee its effectiveness in getting kids to eat their vegetables or finish their homework. But there’s one circumstance in which a Mom or Dad’s “Because I said so . . . .” is the law of the land. When it comes to the online collection of personal information from kids under 13, the Children’s Online Privacy Protection Rule (COPPA) puts parents in charge.

An FTC lawsuit against VTech, a big name in electronic learning products for the Swingset Set, alleges that the company violated COPPA and the FTC Act by, among other things, failing to take reasonable steps to protect sensitive data collected from children. A particular concern in this case – the FTCs first dealing with connected toys – is the allegation that VTech’s violations came to light only after a hacker stole personal information about kids and parents who used the company’s products.

First, some background. VTech operates Learning Lodge, an online platform that lets customers download child-directed apps, games, e-books, etc., onto their VTech connected devices. More than 2 million parents have created Learning Lodge accounts for close to 3 million kids. One popular app is Kid Connect, which allows children to send text messages, audio files, photos, etc., to contacts approved by Mom or Dad. Once registered, kids also can post messages on an electronic bulletin board accessible to people on the parent-OKed contact list.

From at least July 2013 to November 2015, if a child wanted to use Kid Connect, a parent had to sign up on Learning Lodge. Registration required lots of personal information: the parent’s full name, physical address, email, password, and a secret Q&A for password retrieval, as well as the child’s name, date and year of birth, and gender. Parents could then set up a Kid Connect account by submitting an email address, a parent’s username and password, a child’s username, and a profile photo of both the parent and the child. (In addition, VTech offered a web-based platform called Planet VTech. It required parents to submit a substantial amount of personal information, too, including the child’s first name, login name, password, and full date of birth.)

Where does the FTC allege VTech went wrong? First, VTech’s Privacy Policy said that when parents input personal information as part of the registration process for Learning Lodge, Kid Connect, or Planet VTech, “in most cases” that information “will be transmitted encrypted to protect your privacy using HTTPS encryption technology.” But according to the FTC, the data wasn’t encrypted, rendering VTech’s claim false under the FTC Act.

The complaint also charges VTech with violating specific COPPA provisions. According to the FTC, VTech failed to provide sufficient notice on its website about the information it collects from children, how it uses that information, and its disclosure practices. In addition, VTech failed to provide direct notice of its policies to parents.

The lawsuit also alleges that when people set up a Kid Connect account, VTech didn’t have a COPPA-compliant mechanism in place to verify that the person registering the account was a parent and not a child.

Finally, Section 312.8 of the Rule requires COPPA-covered companies like VTech to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” However, in this case, a hacker was able to remotely access VTech’s test environment and from there gained entry into the live site. That’s where the hacker grabbed parents’ full names, addresses, email addresses, secret questions, and children’s usernames – all of which was stored in clear, readable text. Although VTech stored passwords and children’s photos and audio files in an encrypted format, a database accessed by the hacker included the decryption keys for photos and audio.

What’s more, the FTC says the information was stored so that kids’ information was linked to their parents’ information. For example, that meant that if a child had submitted a photo through Kid Connect, the hacker could have found that photo, along with the child’s home address. According to the complaint, VTech didn’t know that personal information had been copied from its network until the company was contacted by a journalist.

In addition to a $650,000 civil penalty, the proposed settlement includes procedures to ensure future COPPA compliance. One notable provision: a comprehensive data security program subject to independent every-other-year audits for the next 20 years.

Cases are fact-specific, of course, but it’s worth taking a look at where the FTC alleges that VTech’s security practices fell short. Each of the complaint allegations points to an established security principle that COPPA-covered companies – and other businesses – should consider in evaluating their own procedures.

  • The complaint alleges that VTech failed to develop, implement, and maintain a comprehensive information security program. If your company’s program is stashed away in a file somewhere, remember that COPPA makes security a “living” process. It could be time to revisit your program in light of changes to your business and the evolving threat landscape.
  • The complaint alleges that VTech failed to implement adequate measures to segment and protect its live website from the test environment. That concern should sound familiar to businesses that have been following the FTC’s Start with Security and Stick with Security initiatives. Effective network segmentation could help stop an “oops” from developing into a full-blown “uh-oh.”
  • The complaint alleges that VTech failed to have an intrusion detection system. If the burglar alarm went off at your home or workplace, you’d switch into high alert. For years now, FTC cases and guidance to businesses suggest a similar response to unauthorized network access. Careful companies have a system in place to warn them about digital trespassers.
  • The complaint alleges that VTech failed to monitor unauthorized attempts to exfiltrate personal information. Would you know if an intruder was attempting a grab-and-go on your network? There are tools that can alert you when someone is trying to transfer large amounts of data.
  • The complaint alleges that VTech failed to complete vulnerability and penetration testing to see how its network could stand up to well-known vulnerabilities like SQL injection. There’s no way to make a network 100% hack-proof, but as Start with Security and Stick with Security suggest, there are step you can take to protect sensitive data from oldies-but-baddies like SQL injection attacks.
  • The complaint alleges that VTech failed to implement reasonable guidance or training for its employees. Security-conscious companies have a secret weapon in the fight to safeguard sensitive data: a well-trained workforce. Whether or not your company is covered by COPPA, have you incorporated security throughout your business? Are your employees clear on your expectations?

The FTC has resources to streamline your data security and COPPA compliance efforts. Is time at a premium? Set aside a few minutes a day to watch one of our videos for businesses.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.