VTech’s ‘zero accountability clause’ for hacked or lost data on Learning Lodge app store won’t put it above the law, experts say

Educational toymaker was left reeling by the biggest hacking attack of the year in Hong Kong in November, but the company’s under-the-radar move to rewrite its terms and conditions may not help it escape liability in the future

PUBLISHED : Friday, 12 February, 2016, 5:42pm
UPDATED : Friday, 12 February, 2016, 7:32pm

Efforts by Hong Kong-listed educational toy maker VTech to skirt responsibility for future security breaches cannot override existing data-protection laws around the world, according to experts.

VTech, which was hit by a massive hack in November that left more than six million children’s profiles exposed, has changed the terms of service for its online application store, Learning Lodge, to state that the company would not be liable for “damages of any kind” resulting from the “unauthorised access or alteration or destruction or deletion” of a user’s transmissions, data or device.

“This sets a bad example,” Paul Haswell, a partner at international law firm Pinsent Masons, told the South China Morning Post.

“Instead of working to resolve the underlying problem that data is not secure, this organisation tells customers: ‘Hey, we won’t protect your data properly. But that’s your problem for using our service’.”

The amendments to the app store’s terms of service were reportedly made in December, a month after the security breach occurred.

The VTech security breach compromised 4.8 million parent accounts and 6.4 million related children’s profiles on the company’s Learning Lodge app store customer database and Kid Connect servers. It also prompted pundits to urge companies in Hong Kong to step up their cyber defences.

Also affected were 235,708 parent and 227,705 children accounts at the company’s Planet VTech online games platform.

READ MORE: Hong Kong childhood tech firm VTech is hacked, exposing data of 5 million customers and kids

“VTech can include any terms and conditions they wish, including ones absolving them of responsibility for lost data, but that does not mean those will be effective,” Haswell said.

He pointed out that VTech “will still be subject to data-protection laws and regulations worldwide, which in many cases may extinguish any protection these new terms seek to provide”.

Britain’s data-protection watchdog, the Information Commissioner’s Office, also confirmed that VTech’s updated terms and conditions would not absolve the company of liability for future cybersecurity incidents, a BBC report said.

“The law is clear that it is organisations handling people’s personal data that are responsible for keeping that data secure,” a spokeswoman said.

A spokesman for VTech could not be reached, despite inquiries made this week.

READ MORE: Hacking of Hong Kong’s VTech may prove worst cybersecurity breach of 2015 in Asia

Of the children’s profiles exposed by the VTech hack last year, 2.9 million were from the United States and 1.2 million from France. Other countries with affected customers included Britain, Germany, Canada, Spain, Belgium, the Netherlands, Denmark, Australia and New Zealand.

It marked the biggest corporate cybersecurity breach in Hong Kong since 2011. It also ranks as the largest known targeted hack on children’s data worldwide.

“After the cyberattack, we have focused on further strengthening security around user registration information and other services within Learning Lodge,” VTech chairman and chief executive Allan Wong Chi-yun said last month as the company resumed its app store’s operation.

Sydney-based security expert Troy Hunt, who was first to blog this week about VTech’s updated terms and conditions, pointed out that its “zero accountability clause” did not inspire confidence.

“There are very few absolutes in security and there always remains some sliver of a risk that things will go wrong, but even then ... the organisation involved has to take responsibility,” Hunt wrote.

Hong Kong’s longstanding reputation as a major business centre and global financial hub could also be damaged by VTech’s bold disclaimer, according to Michael Gazeley, the managing director at security company Network Box.

“Cyber-security isn’t something which can be sidelined,” Gazeley said.