In November 2015 the database of VTech, a global supplier of electronic toys, was hacked. It admitted that millions of customer’s accounts were affected. On 24 December 2015 VTech issued new terms and conditions that include:
“You acknowledge and agree that you assume full responsibility for your use of the site and any software or firmware downloaded.
“You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties.
“You acknowledge and agree that your use of the site and any software or firmware downloaded there from is at your own risk.”
This could be ‘translated’ as:
“We have already been hacked, this may happen again (who knows?) and if it does then don’t blame us.
“We don’t accept any responsibility for our poor cybersecurity
“We are going to pass on all the risks on to you”
A spokeswoman for VTech actually said:
“Since learning about the hack of its databases, VTech has worked hard to enhance the security of its websites and services and to safeguard customer information.
“But no company that operates online can provide a 100% guarantee that it won’t be hacked.
“The terms and conditions, like the T&Cs for many online sites and services, simply recognise that fact by limiting the company’s liability for the acts of third parties such as hackers.
“Such limitations are commonplace on the web.”
This is clearly an attempt by VTech to limit its legal liability to those affected by any future data security breaches (and perhaps to try and avoid or mitigate any fine imposed by data regulators, such as the ICO). But will it work and what about the (possibly unforeseen) consequences?
When news of this data security breach first emerged trading of shares in VTech were suspended and there can be little doubt that the company has suffered financial and reputational damage. There seems every possibility that changing its T&Cs will only make such matters worse. In any event, are these new T&Cs enforceable? After all, they will form part of a contract between a (very large) business and numerous individuals- who are consumers.
Some cybersecurity experts have condemned this move by VTech. Ken Munro from Pen Test Partners said:
“This is an unbelievably arrogant and derogatory response considering their track record with data security,”
“If VTech think that those T&Cs are the answer to their problems I think they should be given a bigger problem to deal with. Boycott them and take your money somewhere else.”
Trend Micro’s Rik Ferguson said the firm’s behaviour was:
“Unforgivable, ignorant and indefensible. Would I advise consumers to avoid an organisation that attempts to take advantage of its customers’ goodwill and to absolve itself of its legal responsibilities with weasel words? Unequivocally, yes.”
All organisations need to be aware that these kinds of cyber-attacks, which are already common, are going to become more and more frequent. There is a legal on organisations to take appropriate measures to prevent data security breaches-including hacking-from happening.
Current EU data protection law (Art.17 of Directive 95/46/CE) states the data controller must implement appropriate technical measures to protect personal data. In other words to prevent hacking. New EU data protection law (Art 30 of the General Data Protection Regulation) goes further by extending this obligation to data processors (outsourced services).
Organisations should not assume they won’t be hacked and plan for such events occurring. Part of this planning should be to think about how they should react to a breach and deal with PR.
Attempting to ‘pass the buck’ onto customers isn’t a smart move.
This article is intended for informational purposes only and should not be relied upon as legal advice.