Friday, 12 February 2016

VTech's new T&C's:families using at 'own risk' ICO says not on my turf!

The UK's data watchdog has said that VTech's new terms and conditions would not absolve it of liability in the case of future hack attacks.
It emerged earlier this week that the toy company had changed its terms to say that families using its software did so at their "own risk".
This prompted a backlash in which some security experts suggested parents should boycott its products.
The UK's Toy Retailers Association has since said VTech remains "reputable".
However, at least two major stores have told the BBC that they are in talks with the Hong Kong-based manufacturer to decide how to proceed.

VTech was alerted to the fact it had been hacked in November when it was contacted by the Motherboard news site.

It later confirmed that more than 6.3 million children's accounts and 4.8 million parent accounts had been compromised.
The company later hired the security firm FireEye and subsequently restored its Learning Lodge app management platform at the end of last month.
But it caused further controversy when it changed its European terms and conditions to state parents must assume "full responsibility" for using its software.
"You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties," it added.
"Use of the site and any software or firmware downloaded therefrom is at your own risk."
The firm told the BBC that the move was intended to help protect itself from legal claims.
"The Learning Lodge terms and conditions, like the T&Cs for many online sites and services, simply recognise that fact by limiting the company's liability for the acts of third parties such as hackers," a spokeswoman explained.
"Such limitations are commonplace on the web."
The terms include the caveat that VTech only absolves itself of responsibility in so far as "applicable laws" allow it to do so.
The Information Commissioner's Office has confirmed that this would not be possible in the UK.
"The law is clear that it is organisations handling people's personal data that are responsible for keeping that data secure," said a spokeswoman.
A data protection specialist added that this would be the case for other EU countries too.
"If VTech did suffer another breach, some people might be dissuaded from bringing a claim because of the terms and conditions, or VTech might be trying to give themselves room to argue that they aren't liable," said Paul Glass from the law firm Taylor Wessing.
"But under European and UK law the obligation is on the company in control of the data to take appropriate steps to protect the information from unauthorised disclosure or access.
"Even if VTech did try and argue that people were contractually prohibited from bringing a claim, it is a difficult position for the firm to take."
Cited and more on this story at BBC News 

No comments:

Post a comment