In one of the most bizarre developments in computer security, Chinese toy maker VTech thinks it has invented the perfect solution to the expensive business hazard of data breaches - make them the end user's problem, not the company's, using a defensive shield made out of nothing more technical than words.
Only days ago, a sharp-eyed security researcher noticed something extraordinary in paragraph 7 of the company's latest Terms & Conditions for anyone accessing the Learning Lodge online app store that can be used with its toy products:
"You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties. You acknowledge and agree that your use of the site and any software or firmware downloaded therefrom is at your own risk.
"Recognising such, you understand and agree that, to the fullest extent permitted by applicable law, neither VTech or its suppliers [...] will be liable to you for any direct, indirect, incidental, special, consequential, punitive, exemplary or other damages of any kind..."
On the face of it, should the site be breached in the future and customer data stolen, the legal liability for this will rest not with the company that failed to secure it, VTech, but the end user. Caveat emptor.
End User License Agreements (EULAs) have long been used by software companies to limit liability for software problems, including those which create security holes but on the face of it VTech is trying to extend this principle to include data loss. Legally, the issue here is liability not moral fault. The T&Cs appear to be trying to shft the liability to the customer because they agreed to use a product in a universe in which their data might be stolen from VTech.
Why is VTech doing this?
On 14 November 2015, toy maker VTech suffered a serious data breach that compromised the personal details of 11.6 million customers, 6.4 million of whom were children. Unencrypted data lost included names, addresses, email addresses, download history and secret security questions. Account passwords had been encrypted but so weakly using the inadequate MD5 hash.
The company suspended the trading of its shares on the Hong Kong Stock Exchange, a drastic and unusual move that underlined the seriousness of events. In an era of almost routine data breaches, the poor security left the firm looking unusually incompetent, complacent and foolish.
Is the move sound?
It is important to distinguish between a company's legal responsibility to its customers and a company's responsibilities to local information and regulatory authorities. In both cases, laws vary by country but in the UK the recompense that must be given to end users in the event of a data breach unless are surprisingly vague. As for the UK ICO, it can fine companies up to £500,000 (about $750,000) for breaches of the Data Protection Act (DPA) but rarely does so. Users can always try their luck under civil law, assuming they have plenty of money to fund such a thing.
Sign up for CIO Asia eNewsletters.