Vtech Hack – Largest Cybersecurity Breach Affecting Children
Total Page:16
File Type:pdf, Size:1020Kb
Legal Update Hong Kong 10 December 2015 VTech Hack – Largest Cybersecurity Breach Affecting Children On 14 November 2015, VTech Holdings Limited Both the Hong Kong Privacy Commissioner (PC) and (VTech) was hacked, resulting in the personal data of the authorities in the United States have commenced about 6.4 million children and 4.9 million parents investigations into the hack, to determine whether being compromised worldwide. Out of the more than VTech infringed any relevant laws and, if so, what 11 million people involved, 5 million of them had remedial action should be taken. their data stolen. This is the largest cyber attack affecting children’s data worldwide. Investigations in Hong Kong Investigation Hong Kong, the United States and Britain are The PC has commenced an investigation into VTech’s currently underway. practices in order to determine whether VTech failed to comply with its security obligations under the Background Hong Kong Personal Data (Privacy) Ordinance VTech is a leading electronic learning toys company, (PDPO), thereby enabling the cyber attack to occur. headquartered in Hong Kong, with offices in 11 Under the PDPO, VTech (as a data user) is obligated countries (including Australia, China, Singapore, to implement practical steps to safeguard the South Korea and Malaysia). VTech is currently listed personal data held by it from any unauthorised or on the Hong Kong Stock Exchange. accidental access, processing, erasure, loss or use (Data Protection Principle 4). The hacker accessed VTech’s customer database through its Learning Lodge app store (which allows If the PC finds that VTech has failed to comply with customers to download apps, games, e-books and such security and safeguarding obligations, he may educational content onto their VTech products) and issue an enforcement notice against the company Kid Connect servers (which allows parents to requiring it to carry out remedial action (e.g., communicate with their children via an app on the requirements regarding further encryption and IT children’s VTech tablet). The databases contain the security, etc). If VTech fails to comply with the name, birth date and gender of the children, and the enforcement notice, then it will be guilty of an name, email address, password, IP addresses, postal offence, which attracts a maximum fine of address and download history of the parents. No HK$50,000 and 2 years imprisonment. Higher credit card data, bank account information or any penalties apply in the event of repeated identity card numbers were stored on the databases. infringements on the same facts and/or subsequent infringement of other enforcement notices. The affected customers are located across 16 different countries with the majority of those affected In the United States, at least two states (Connecticut being in the United States. Other places include and Illinois) are planning to conduct investigations France, the United Kingdom, Germany, Canada, into the VTech breach. Britain’s data privacy Hong Kong and Australia. regulator has also announced that it will be conducting an investigation. VTech has already taken steps to try and minimise any further damage by notifying all affected individuals, and temporarily suspending its Learning Data Breach Notification Lodge and Kit Connect Service in order to conduct a In Hong Kong, data users are not obligated to inform security assessment. the PC or any data subjects of any security or data privacy breach, but such notification is strongly notification should be done as soon as possible, recommended by the PC where there is a real risk of unless the law enforcement agency has (for harm to data subjects. In October 2015, only weeks investigative purposes) asked the data user to before the VTech hack, the PC issued a new Guidance delay in notifying the data subjects. The Data on Data Breach Handling and the Giving of Breach Breach Guidance Note gives further details/ Notifications (Data Breach Guidance Note). In brief, advice on what should be included in such upon the occurrence of a data breach, the Data notices (e.g., a description of what occurred, Breach Guidance Note recommends that: when it occurred, etc); a. the data user should take immediate remedial g. the data user should identify the root cause action to minimise any harm or damage that of the problem and take steps to prevent the could be caused to the data subjects; recurrence of such a breach in the future, e.g., improving its security measures, limiting its b. the data user should promptly gather essential employees’ access rights to the personal data information on when the breach occurred; on a need-to-know basis, etc. where it took place; how the breach was detected any by whom; the cause of the Whilst the Data Breach Guidance Note is not breach; the type and extent of personal data mandatory, and failure to comply with it does not in involved; and the number of data subjects itself result in an offence, the PC will very likely take affected; into account any failure to comply with the Data c. the data user should designate an appropriate Breach Guidance Note in determining whether or not person or team to handle the data breach to issue an enforcement notice against the data user incident and coordinate the initial internal in the event of a breach. investigations into the breach; d. the data user should identify the cause of Youth and Privacy in Hong Kong the breach and take steps to stop/contain The PDPO does not offer different treatment for the breach, including stopping the relevant minors’ personal data. Minors’ personal data is system if the breach is caused by system largely treated the same under the PDPO as personal failure; changing the users’ password and data relating to adults. A few exceptions apply in system configuration; notifying the relevant respect to consent and the submission of data access law enforcement agencies (e.g., the police) if and correction requests, some of which were identity theft, fraud or other crimes are likely introduced by the Personal Data (Privacy) to be committed; making the data processor (Amendment) Ordinance 2012 (Amendment take remedial steps if the breach is caused by Ordinance 2012): the data processor, etc; a. A parent or guardian are expressly allowed e. the data user should assess the risk of harm to make a data access request on behalf of that could be caused by the data breach, minors. However, caution must be exercised by e.g., identity theft, financial loss, damage to the data user to ensure that the person making reputation, loss of dignity, loss of business, etc. the request is authorised to do so on behalf of The extent of such harm will depend on, for the minor, e.g., evidence should be provided example, the type of personal data affected, showing that the requestor is the parent of the the amount of personal data involved, the minor. Further, data users should only comply circumstances of the breach, whether the data with a data access request submitted by the was encrypted, etc; parent or guardian, if the data user is satisfied f. if there is a real risk of harm (e.g., personal that such is made “on behalf of” the minor, and data stolen includes financial data, etc), not for the parent or guardian’s own purposes. then the data user should consider notifying b. With regard to consent, before the PDPO was the data subjects, the PC, law enforcement amended in 2012, when a data user wanted agencies and any other regulators or relevant to use the personal data of a minor for a new parties (e.g., asking Internet forums to take purpose, it had to obtain the “prescribed down any leaked personal data that has consent” of the data subject himself (i.e., been posted by hackers on the forum). The the minor). There was previously no specific 2 Mayer Brown JSM | VTech Hack – Largest Cybersecurity Breach Affecting Children provision in the PDPO that enabled a “relevant be easily read and understood by them; person” (i.e., parent or guardian) to give c. 51% shared personal data with third parties, “prescribed consent” on behalf of the minor. some of which were shared for vague or Instead, Data Protection Principle (DPP) 3 unspecified purposes; required the prescribed consent to be given by d. only 24% encouraged children to involve their the “data subject” themselves (i.e., the minor). parents; and However, changes were introduced by the Amendment Ordinance 2012 and the PDPO e. only 31% had in place effective means of now expressly allows parents or guardians limiting the amount of personal data collected to provide prescribed consent on behalf of from children. a minor in order for a data user to use the On 1 December 2015, following the VTech hack and minor’s personal data for a new purpose. Even the results of the Sweep, the PC issued a guidance after receiving such consent from a parent or note on the Collection and Use of Personal Data guardian, DPP 3 still prevents the data user through the Internet – Points to Note for Data Users from using the data for the new purpose unless Targeting at Children (Guidance on Collection of it reasonably believes that such new purpose is Children’s Data) and a leaflet entitled Children’s in the interests of the minor. Online Privacy – Practical Tips for Parents and c. The Amendment Ordinance 2012 also Teachers (with advice on how parents and educators introduced a new exemption to DPP 3 in the should get involved in children’s online activities, PDPO. Pursuant to the amendment, the police etc). or the Customs and Excise Department may The Guidance on Collection of Children’s Data transfer any personal data of a minor held highlights the fact that children are a vulnerable by them to the minor’s parent or guardian group, and extra caution is required when handling (without needing any prior consent of the their personal data.