You may recall that in December of last year, VTech, a manufacturer of children’s electronic toys, was hacked and the personal data of millions of people was compromised. The stolen data included names, addresses, contact details and even photographs of both children and adults. More information on the original attack can be found here: http://www.bbc.co.uk/news/technology-34944140, and here: http://www.bbc.co.uk/news/technology-34963686.
In the last week it has come to light that VTech has changed its terms and conditions of use – also known as its End User Licence Agreement, or EULA – and added wording that, on the face of it, places the blame for loss of data on the consumer. The section in question reads:
“You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorized parties.”
It appears as though this change was made in late December but has only recently been noticed and publicised.
I think we can all agree that it’s pretty clear what the wording tries to do; it tries to exclude any liability on VTech should data be stolen from their servers. In response to widespread criticism of these new terms, VTech has stated that this kind of wording is commonplace in EULAs and that the change was made to reflect standard practice.
Of course, there is some truth to this. It is not unusual for a EULA to contain wording that makes it clear that the internet is a dangerous place and that data can sometimes be intercepted or stolen. The difference here though, is that most companies will almost always make it clear that they will do all they can to ensure their security systems will prevent this from happening.
I don’t think anyone would argue that a company should not be liable for data loss if that loss was caused by a lack of security at the customer’s end, i.e. if the customer’s computer had some form of virus that was harvesting data. But I also don’t think anyone would consider it reasonable that the company try to absolve itself of all responsibility for data loss, especially where the loss was caused by inadequate security measure put in place by the company.
Whilst I really hope that there is never a need for this clause to be tested in court, it would be an interesting one to see as the legality of such a clause, especially under UK and EU law (both data protection law and consumer protections laws), may well render this clause illegal and unenforceable.
The moral of this story is to have a look at those terms and conditions that we don’t take the time to read – even I’m guilty of this, and I write them, a lot – and pay attention to those bits that cover how data will be handled and looked after (or not, as the case may be).
For a slightly more tech-heavy read on this issue, take a look at this blog post by Troy Hunt: http://www.troyhunt.com/2016/02/no-vtech-cannot-simply-absolve-itself.html.
If you have any questions about EULAs or your data protection responsibilities, please get in contact.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.