The fine that VTech must pay for the VTech data breach is similar to the $700,000 fine handed to the Hilton hotel chain for a similar incident. In that case, personal information such as credit card numbers was exposed. Vtech’s poor security practices led to the release of personal information. Their privacy policy stated that all information would be encrypted and secure, which was a lie. The company must now implement a comprehensive data security program to avoid being liable for similar issues in the future.
Settlement with FTC
A recent VTech data breach has put millions of children and adults at risk of identity theft. The cybersecurity breach exposed the personal information of 4.9 million adults and parents who registered their children to use the VTech digital toys. The company violated the federal Children’s Online Privacy Protection Act (COPPA) by failing to provide direct notice and obtain verifiable consent before collecting personal information from children. VTech collected personal data from parents via two online platforms: Learning Lodge Navigator and Planet VTech.
The company admitted to collecting the information on more than 500,000 Canadian children. It also failed to implement reasonable security measures for the information of more than 179,000 children worldwide. While the FTC’s fine was relatively small in comparison to the millions of devices the company sells, it’s unlikely to satisfy many parents or children. It may also encourage other companies to compromise security. A settlement of this size may not be enough to reassure children and parents, but it’s a start.
Steptoe’s win
In a victory for children’s privacy, Steptoe has won a class action lawsuit filed against VTech North America LLC for its data breach. The case arose out of a 2015 data breach, which compromised the personal information of 11 million children and adults. In the lawsuit, the DOJ and FTC alleged that VTech failed to protect the privacy of its customers and failed to notify affected users of the breach. The FTC also accused VTech of violating the Children’s Online Privacy Protection Act.
The fine was equal to the $700,000 that Hilton was recently fined for a similar data breach. Moreover, the fine imposes probation for Vtech, which has now agreed to pay a $650,000 fine. The settlement agreement makes it clear that the company has obligations to protect the privacy of its customers. Steptoe’s win in the VTech data breach lawsuit highlights the importance of implementing robust data security policies.
Class action lawsuit dismissal
The Illinois federal judge dismissed the VTech Data Breach class action lawsuit dismissing it on several grounds, including that the plaintiffs failed to establish standing, fail to state a plausible risk of injury, and failed to allege that the hacker intentionally disseminated the information to children or predators. The court held that the plaintiffs did not prove that the hacking caused any harm to children or the public and that their damages should be measured on the value of their purchases.
The judge rejected the plaintiffs’ claims in Counts I and II of their VTech Data Breach class action lawsuit, citing that their allegations were not supported by the law and that they were based on faulty security measures. The court also found that the plaintiffs failed to adequately identify third-party beneficiaries of the breach, stating that such an agreement would not prevent the breach from occurring. The court noted that the plaintiffs could amend their complaint, but it would be futile to do so because they did not identify any other parties that might have been affected by the breach.
Violations of Children’s Online Privacy Protection Act
The Federal Trade Commission is looking into possible violations of the Children’s Online Privacy Protection Act. In May of 2019, senators Markey (D-Mass) and Mark Zuckerberg (D-N.Y.) sent letters to the FTC requesting that the agency investigate the practice. They noted that the companies violated the law when they illegally collected children’s personal information and used it to target ads on their sites.
The bill comes after the FTC announced settlements with three Web operators who collected personal information about children under the age of 13 without parental consent. Each operator agreed to pay a total of $100,000 in civil penalties and will comply with COPPA moving forward. They must also delete all personal information they have collected online since the Rule went into effect. The FTC has also imposed a moratorium on collecting personal information from children under the age of 13 until the companies can comply with the law.
Breach of contract with plaintiffs
The federal judge in the VTech Data Breach lawsuit dismissed the plaintiffs’ claims for breach of contract because the plaintiffs failed to demonstrate that they understood the allocation of their purchase price to protect their personal information. The plaintiffs also failed to state their claims for breach of contract, and the judge cited the failure to state a claim as a pretext for dismissing the case. The online services specifically state that they are intended for use by adults.
The plaintiffs’ allegations of breach of contract are somewhat weak, however. They allege that VTech represented its products as “child-safe” when they did not know that they were storing personal data. They also allege that the company failed to implement basic cybersecurity measures. The judge does not accept this allegation, however, because the plaintiffs have not identified a federal law and do not assert a nationwide class. Plaintiffs argue that VTech’s argument regarding national class certification is premature.
