Overwhelmingly, the financial harm to a breached company comes from any remedial work it has to carry out to alert users, reset accounts, track the source of the breach and put in place new security or credit checking should financial data be lost in countries that require such recompense such as the US.
And the EU General Data Protection Regulation?
In future, this would cause VTech serious problems because the maximum fine for a breach would rise from hundreds of thousands of pounds under national laws to tens of millions. The revised T&Cs make no odds here because the GDPR is an EU-wide legal framework for data protection that isn't affected by what individuals agree or don't agree to in such documents. Individually, users would also have the right to ask VTech to remove their data from its database. Failure to do that could increase fines.
Can end users protect themselves?
If they buy the company's toys then in terms of absoute certainty the only defence is not to use its online services. On the basis of such T&Cs, we suggest it is no longer worth it.
What precedent does this set?
Probably none whatsoever although some will see the action as changing the atmosphere around breaches. On top of the bad publicity after the November data breach, VTech will not get more bad publicity for attempting to shift liability away from itself for security that only it can possibly assess.
The Internet of (insecure) Things
This is where it gets more interesting and troubling. Like a lot of firms that have a foot in tech, VTech fancies itself as a future player in the home security and Internet of Things market, one which depends on competent security surely. It's hard to imagine informed consumers and businesses installing a security system made by a firm that uses these sorts of T&Cs to protect itself. The move communicates the wrong set of values, as if the company doesn't see any moral obligation to secure the technology it sells.
What does the industry think?
Overwhelming incredulity, starting with the researcher who verified the scale and incompetence of the original November 2015 breach, Troy Hunt.
"The bigger picture here is that companies are building grossly negligent software and then simply not being held accountable when it all goes wrong," Hunt wrote on VTech's new T&Cs on 9 February.
Varonis vice president of strategy David Gibson told Computerworld UK by email: "protecting customer, partner and employee data is a business requirement. It's possible that VTECH may have run afoul of the US's COPPA [Children's Online Privacy Protection] laws for protecting children's data. The larger point is that consumers should expect reasonable data security without having to be personally liable."
Sign up for CIO Asia eNewsletters.