VTech will pay $650,000 to the Federal Trade Commission in a settlement over deception, privacy & security.

Remember that toy company that got hacked and allowed attackers access to pictures, chats and more from more than 6 million children?

That was VTech, and today the Federal Trade Commission said the company is paying a fine for failing parents on privacy and security.

VTech must pay $650,000 to settle claims that it collected personal info from hundreds of thousands of children, but did not give parents direct notice or get their verifiable consent.

The FTC also said VTech told parents it encrypted — or scrambled — personal information to keep attackers from using it against you, but did not actually do so.

And it said the company did not use ”reasonable and appropriate” data security steps to protect kids’ info.

VTech will have to start using a strong security program and report back regularly to the FTC.

“It is good to see the FTC take a stand and hold companies accountable for protecting the personally identifiable information of their customers,” Michael Patterson, CEO of cybersecurity company Plixer told Archer News. 

Child plays with VTech toys in promotional image. Image credit: VTech

VTech responds

 “Following the cyber attack incident, we updated our data security policy and adopted rigorous measures to strengthen the protection of our customers’ data. We also took steps to address the technical notice and consent issues under COPPA,” said Allan Wong, chairman and group CEO of VTech Holdings Limited, in the release.

‘Nice to have’

Some hope this lawsuit and fine will help keep toys safer in the future.

“Hopefully, down the line, people who want to bring these kinds of things to market will see that they have serious obligations to their customers,” said Michael Kaiser, executive director of the National Cyber Security Alliance, in an interview.

However, toy makers may have other priorities. Like money.

“When you’re trying to get a return on your investment and you want to get a device to market very quickly, security usually comes as an afterthought, or as a ‘nice to have,’ not a ‘need to have,’” said Travis Smith with cybersecurity company Tripwire.

The settlement could put pressure on toy makers in a new way, he added.

“But when you have actual monetary repercussions from not implementing security, that’s going to make it not a ‘nice to have,’ but a ‘need to have,’” Smith said to Archer News.

Big hack

The hack happened in 2015.

VTech made some parents even angrier when it changed its terms of service after the hack.

Customers posted the new terms on social media, which required parents to agree that their information could be stolen.

“YOU ACKNOWLEDGE AND AGREE THAT ANY INFORMATION YOU SEND OR RECEIVE DURING YOUR USE OF THE SITE MAY NOT BE SECURE AND MAY BE INTERCEPTED OR LATER ACQUIRED BY UNAUTHORIZED PARTIES,” the post said.

“All because YOU got hacked I’m suppose to give your company permission to allow my childs info to be out there. Are you nuts?” asked an angry Maryland mom on the company’s Facebook page.

“I mean seriously?” she continued. “I am in no way okay with that! SO IF your hacked again its OUR fault our childs info gets out there & not yours? Way to go Vtech,you’ve lost a customer…”

But some say other parents may not be concerned about the hack, the risks and how toy companies use or protect their children’s data.

“I wouldn’t expect the average parent to even know that something like this went down, honestly,” said Smith. “The average parent isn’t going to really know or frankly really even care that stuff like this is happening.”

Change is coming

For parents who do care about their children’s personal information, take heart.

A new law in Europe could change the way companies do business in the U.S.

The General Data Protection Regulation in the European Union requires companies to do more to protect people’s data and privacy.

“In addition to requiring individual consent to collect personal data, enterprises will need to post clear and visible privacy policies, communicate breaches within 72 hours, and provide an easy-to-use mechanism to report data upon consumer request,” Chris Olson, CEO of The Media Trust, told Archer News.

Toy makers who sell in Europe will have to follow the rules, but it could have effects worldwide. 

That could make it easier for you to stay informed about your kids’ privacy and security

“People can opt into whatever they want. But it has to be clear what they’re opting into,” said Kaiser. “That’s clearly what VTech didn’t do.”