VTech operates Learning Lodge, an online platform of child-directed apps and games, the Kid Connect app, through which children can send text messages, audio files, and photos to parent-approved contacts, and Planet VTech, a web-based gaming and chat platform. The FTC alleged that as of November 2015, in order to use the above listed apps and games, parents first had to register by submitting personal information including name, address, email, password, child’s name, child’s birthday, child’s gender, profile photos, and more. Over 2 million parents registered and created accounts for almost 3 million children.
In November 2015, a hacker accessed VTech’s computer network by accessing a test environment and traversing to the live system and exfiltrated personal information of consumers, including children, in clear, readable text. Though passwords and children’s photos and audio files were stored in an encrypted format, the hacker gained access to a database including decryption keys. Because children’s accounts were linked to their parent’s accounts, hackers also had the ability to combine information, such as linking a child’s profile photo to their parent’s home address.
The FTC also considered VTech’s data security practices insufficient. The complaint alleges that VTech failed to (1) maintain a comprehensive information security program; (2) segment and protect its live website environment from its test environment; (3) implement tools to detect intrusions or unauthorized attempts to exfiltrate personal information; (4) complete vulnerability and penetration testing; and (5) provide data security guidance or training to employees.
Section 5 Violations
Takeaways from this Settlement
- Violations add up. A large number of seemingly small violations, when viewed together, may be enough for a very large penalty under COPPA.
- The FTC continues to be serious about security, particularly in the wake of its 2017 “Start with Security” blog series, available here.
- The Commission seemed particularly concerned that VTech’s violations only came to light after a breach, and that the company learned about the breach from a reporter, rather than through its own monitoring. Thus, it is critical for companies to implement and maintain internal security programs and monitoring and detection systems.
ZwillGen attorneys Stacey Brandenburg and Kandi Parsons will discuss the VTech case and other notable FTC cases and guidance from the past year in a webinar on Wednesday, January 17th from 1:00 – 2:00 PM EST. More information is available here. Click here to register.