FTC Provides Guidance on “Reasonable” COPPA Security
The Federal Trade Commission recently announced a settlement with VTech Electronics Limited and its U.S. subsidiary in the FTC’s first case involving Internet-connected toys.
In short, VTech had been charged with violating the FTC Act and the Children’s Online Privacy Protection Act by collecting personal information from children without providing direct notice and obtaining verifiable parental consent, as well as failing to properly secure the data it collected.
The FTC said the information was stored so that kids’ information was linked to their parents’ information. For example, that meant that if a child had submitted a photo, the hacker could have found that photo, along with the child’s home address. According to the complaint, VTech didn’t know that personal information had been copied from its network until the company was contacted by a journalist.
The FTC has gone to great lengths to explain the basics of what businesses must do to comply with COPPA. However, there has existed a fair degree of uncertainty regarding how business must actually protect personal information collected from children.
“Reasonable procedures” are required to protect such information from exploitation, but what does that actually mean? Well, the agency’s recent settlement with Vtech provides a bit of insight into the issue.
The settlement contains a requirement that VTech establish and maintain a “comprehensive data security program,” which includes identification of security risks, designation of employees responsible for security, and testing and evaluating security measures for effectiveness. It permanently prohibits VTech from violating COPPA in the future and misrepresenting the extent to which they maintain and protect the privacy, confidentiality, security or integrity of registration information and personal information collected from a child. It also includes a payment of $650,000 in civil penalties, injunctive relief, and the establishment of a comprehensive security program.
The accompanying FTC press release, make some additional suggestions of the type of minimum procedures that should be implemented when storing children’s data, including, but not limited to:
- Segment and protect its live website from its test website environment. This should familiar to businesses that have been following the FTC’s Start with Security and Stick with Security initiatives. Effective network segmentation could help stop an “oops” from developing into a full-blown “uh-oh.”
- Maintain an intrusion detection system and monitor unauthorized attempts to obtain personal information.
- Complete vulnerability and penetration testing to protect from widely-known vulnerabilities.
- Implement employee guidance and training on data security.
Section 312.8 of COPPA expressly requires covered companies to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” However, in this case, a hacker was able to remotely access VTech’s test environment and from there gained entry into the live site. That is where the hacker grabbed parents’ full names, addresses, email addresses, secret questions, and children’s usernames – all of which was stored in clear, readable text. Although VTech stored passwords and children’s photos and audio files in an encrypted format, a database accessed by the hacker included the decryption keys for photos and audio.
Takeaway: Companies should expect that FTC will continue to aggressively investigate and enforce privacy and data security matters, and will be evaluating these steps when assessing the “reasonableness” of a COPPA-based security program. The importance of good data security practices cannot be overstated.
If you are interested in learning more about the FTC’s privacy and data security efforts, or if you are the subject of a regulatory investigation or enforcement action you can contact the author directly or follow him on LinkedIn or Twitter.
Richard B. Newman is an Internet marketing compliance and regulatory defense attorney at Hinch Newman LLP focusing on advertising and digital media matters. His practice includes conducting legal compliance reviews of advertising campaigns, representing clients in investigations and enforcement actions brought by the Federal Trade Commission and state Attorneys General, commercial litigation, advising clients on promotional marketing programs, and negotiating and drafting legal agreements.
ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result. Hinch Newman LLP | 40 Wall St., 35thFloor, New York, NY 10005.