VTech, the maker of smart toys whose poor safety practices exposed data from millions of parents and children, was scuffed by the FTC for $ 650,000 and probation. This seems like a slight penalty for such a multiple failure affecting so many people.
The Hong Kong company manufactured a variety of "smart" toys, such as watches and cameras, and parents and children were encouraged to create profiles on the VTech website with photos and pictures. personal details. In November 2015, a security researcher discovered that millions of these profiles could be viewed through one of the company's websites.
Not only was the website not secure, but the data was not encrypted in transit or at rest, which contradicted the security claims made in VTech's privacy policy. This is not just bad practice, it is a violation of COPPA, a rule designed to protect the privacy of children. The FTC intervened shortly thereafter to review these violations.
The number of affected parents and children is difficult to estimate, but at the time, nearly 5 million parent records and 227,000 child records were available. However, the FTC in the summary of his investigation notes:
… about 2.25 million parents were enrolled and had created accounts with Learning Lodge for nearly 3 million kids. This included about 638,000 Kid Connect kid accounts. In addition, approximately 134,000 parents in the United States created Planet VTech accounts for 130,000 children in November 2015 …
And the Office of the Privacy Commissioner of Canada writes that "more than 500,000 Canadian children and their parents" have been affected. In any case, the total number is certainly in the millions.
The FTC announced today the results of its investigation, namely that VTech violated US law in two ways and failed to secure its data both as promised and as required . His punishment: pay $ 650,000 and never do it again. The Canadian CPO seems to have inflicted no penalty (I asked for details).
This is not a hefty fine for a company that sold millions of devices and that could encourage other people to weigh the cost of true security against the risk of Be arrested and fined. It seems unlikely that parents and children whose data has been exposed by the extremely irresponsible actions of a global company will find this settlement satisfactory – as logical as it appears to the FTC.
It should also be noted that this is the agency that will be responsible for the implementation of some of our new, much smaller net neutrality rules. If gross negligence and violation affecting millions, including children, causes only a minor fine and a warning like this – two years after the fact, from elsewhere – what hope do we have that the FTC will act as an effective deterrent for subtle abuse? and much richer companies than net neutrality protected people against?
You can read the full text of the rules here (PDF).