A recent decision from the Office
of the Privacy Commissioner of Canada has provided some useful guidance in
connection with minimum security standards required for Internet of Things/web-connected
devices, particularly those that collect personal information and data from
Where did VTech’s security practices go wrong? The OPC identified
numerous “safeguard shortcomings” (to put it mildly). These included the following:
VTech’s hacker obtained access
to VTech’s systems via SQL injection attacks that were not caught because the
company did not engage in regular vulnerability testing, therefore failing to
catch the attack. VTech also neglected to regularly patch its software or
ensure that versions used were current.
VTech did not implement rigorous
administrative-level access controls on its servers, environments and databases.
Production passwords had been shared in test environments, personnel were sharing
accounts and local administrators were given broad access across networks. The
hacker was thus able to gain initial access to a test environment and a local
administrator account and later move between environments to gain access to
sensitive information of customers (and their children) on a global basis.
VTech’s existing cryptographic
protection was inadequate, inconsistent and haphazard. Some sensitive
information (such as names, security questions and answers, etc.) was stored in
plain text, while certain customer communication was transmitted in unencrypted
clear text. Passwords were stored using vulnerable cryptographic methods.
VTech was unable to detect
potential intruder threats or unauthorized/unusual activities (i.e., no alarm
bells went off when customer data was removed from its networks) because it did
not employ adequate host and network security logging/monitoring services.
Lastly, the company lacked a
comprehensive data security policy, did not conduct security training or have a
program for regular risk assessment.
What actions did VTech do to mitigate the breach? To its credit,
VTech did move quickly to contain the original breach once it had been
discovered, taking its relevant databases, servers and websites offline,
rebuilding affected systems before going back online, notifying individual
customers on Nov. 27, 2015 via notices that contained safety measures to
mitigate risks as well as by press releases, social media and FAQs on its
websites (it notified the OPC in December). VTech also required users to change
their passwords upon their first subsequent login and co-operated with local
law enforcement in various countries to assist investigations regarding the
Cleanup: In response to its investigation and those of other
regulators in the U.S. and Hong Kong, the OPC reported that VTech took “active
and comprehensive measures” to clean up its security practices and mitigate
against future breaches. The steps undertaken by VTech serve as a road map or a
benchmark for good security practices that should be undertaken by all
companies that hold sensitive data:
(i) Testing/maintenance: VTech ultimately implemented a regular, multi-faceted
testing protocol to identify potential system vulnerabilities and an
update/patch management program to lower the risk of known vulnerabilities.
(ii) Administrative access controls: VTech is now limiting the
number of individuals with administrative access, as well as the scope of
access available via individual accounts (e.g., to limit cross-network access
of local administrators). The company has also strengthened authentication
controls (e.g., strong passwords) and put in place organizational measures to better
control the use of administrative accounts.
(iii) Cryptography: The company has adopted enhanced cryptography
for stored information, as well as encryption for user information in transit
via its websites and apps.
(iv) Logging and monitoring: VTech has increased and centralized
log-event retention to assist in detecting and investigating unauthorized
activities on its network, as well as restricting and monitoring outgoing
traffic to the internet.
(v) Security Management Framework: Lastly, the company has deployed
a (new) comprehensive data security policy, which includes the creation of a
Data Security Governance Board to ensure, among other things: staff awareness
via annual training regarding the policy and data security; policy compliance;
and annual risk assessments, best-practice benchmarking and reviews so that the
policy and associated data security measures remain adequate.
Breaching PIPEDA: Given the sensitivity of the information under
VTech’s control and the number of individuals affected, including children, the
OPC found that VTech was required to have heightened safeguards in place to
protect against unauthorized access — but it didn’t. As a result, the OPC found
VTech in violation of Principles 4.7 and 4.7.3 of Schedule I of PIPEDA relating
to security safeguards and the fact that more sensitive information should be
safeguarded by a higher level of protection.
The FTC’s order: VTech’s compliance troubles did not end with the
OPC. In addition to having inadequate security practices, the U.S. Federal
Trade Commission severely chastised the privacy and security practices of
related companies VTech Electronics Limited (based in Hong Kong) and its U.S.
subsidiary, VTech Electronics North America, LLC, based in Illinois
(collectively “VTech USA”). On the
same day the OPC decision was released, the FTC announced that it was settling
charges filed by the U.S. Department of Justice on behalf of the FTC against
VTech USA for violating the Children’s Online Privacy Protection Act by
collecting personal information from children without providing direct notice
to parents (including prominently displaying links to online notices of
information practices with regard to children on the home page or screen of its
website or online services and at each area of the website or online service
where personal information is collected) or obtaining verifiable consent
concerning its information collection practices. VTech USA also allegedly
failed to use reasonable and appropriate data security measures to protect the
personal information collected. The FTC also claimed that VTech USA expressly
violated the Federal Trade Commission Act by engaging in several deceptive acts
personal information (including registration data) submitted by users through
the Planet VTech and Learning Lodge platform/apps would be encrypted in
transmission/storage, but this was, in fact, not done.
Next steps: The complaint and stipulated final order was filed in
the U.S. District Court for the Northern District of Illinois and, following
signature by the District Court Judge, will have the force of law. VTech USA was
ordered to pay US$650,000 in civil penalties as part of its settlement with the
FTC and, in addition to the monetary settlement, is permanently prohibited from
violating COPPA and from further misrepresenting its privacy and security
Implementing a comprehensive information security plan: VTech USA
is also required to implement a comprehensive information security program that
must be fully documented in writing and contain administrative, technical and
physical safeguards appropriate to VTech USA’s size, complexity, activities and
the sensitivity of the personal information. The FTC’s guidance in this area is
also illustrative as it highlights that such information program must include:
the designation of an employee
or employees to co-ordinate and be responsible for the information security
internal and external risk
assessments, including (i) employee training and management; (ii) information
systems, such as network and software design, information processing, storage,
transmission and disposal; and (iii) prevention, detection and response to
attacks, intrusions or other systems failures;
the design and implementation
of reasonable safeguards to control these risks, including regular testing or
monitoring of the effectiveness of the safeguards’ key controls, systems and
the development/use of
reasonable steps to select and retain service providers capable of
appropriately safeguarding personal information they receive from VTech USA and
requiring such service providers, by contract, to implement and maintain
appropriate safeguards; and
the evaluation and adjustment
of this information security program in light of the results of testing and
monitoring, changes to VTech USA’s operations or business arrangements or other
circumstances that VTech USA know (or ought to know) that could have an impact
on the effectiveness of the information security program.
VTech USA is obliged to obtain
initial and biennial assessments conducted by independent third-party auditors
for the first 180 days after the initial date of the order and each two-year
period thereafter for 20 years after issuance of the order for the biennial assessments.
One year after entry of the order, VTech USA must submit a detailed compliance
report, sworn under penalty of perjury, that describes how VTech USA is in
compliance with each section of the order, along with other (onerous)
information requirements. It’s an understatement to say that the FTC takes
auditing duties very seriously.
Conclusion: Among others, the “lessons” that can be gleaned from
the VTech and VTech USA cases include: (i) IoT/connected toys and devices
remain very vulnerable in the face of haphazard/sloppy security practices; (ii)
inadequate security safeguards will no longer be tolerated by regulators,
particularly when children’s information or other sensitive information is
involved; (iii) robust and adequate security safeguards involve multi-level
tiers of protection per the above; (iv) vendors should never misrepresent the
state of their security practices in their privacy policies; and (iv) in a
connected world, regulators are willing to work together and share data and
resources to combat “deceptive and unfair practices that cross national borders”
(in the words of the FTC).