The Internet of Things (IoT) has become part of our daily lives these last few years. It can be defined as a network of networks that allows complex identification systems to transmit data between physical and virtual objects (ex: autonomous cars, Google Home, Fitbits…). It mainly relies on Artificial Intelligence and uses personal data. For this reason, it is important to adequately protect said data namely through adequate security measures. It may also be recommended to insure oneself against cybersecurity risks.
IoT and cybersecurity are intertwined. IoT evolves in a cyberenvironment and is subject to risks and more specifically cyberattacks. To protect the former, the latter must be fought and regulated. They are critical issues on both side of the Atlantic. As we will discuss below, several actions have been taken to safeguard individuals and businesses from cyberattacks and to enhance the protection of personal data.
Furthermore, two recent cases in the United States illustrate the importance of these issues: the VTech cases. Mathias Avocats will explain both cases and draw an overview of the steps taken in the United States and in the European Union (UE).
What are the VTech cases about?
VTech Electronics is a North American company which manufactures and markets digital learning toys for children. In was recently at the heart of two cases: one involving the Federal Trade Commission (FTC) and another concerning a class action in an Illinois district court. Both cases revolve around VTech’s digital learning devices for children (Learning Lodge and Kid Connect) and the inadequate data-protection measures which allowed a hacker to access and download children and parents’ personal data. However, the arguments presented greatly differ.
In Re VTech Data Breach Litigation, Case No. 1:15-cv-10889 (N.D. Ill. 2018), the plaintiffs (adults) had purchased digital learning toys for their children. The toys required the use of online services for which personal data, of both the parents and children, were needed (ex: name, home address, email address, credit or debit information…). The user thus had to register for the online services if he or she wanted to use them. In other words, the online services were not automatic.
It is interesting to note that the plaintiffs did not argue on the grounds of personal data protection legislation. Would the outcome have been different if they had? It is reasonable to assume so considering the FTC’s complaint against the company.
Beginning of this year, the FTC filed a complaint against VTech namely for violation of the Children’s Online Privacy Protection Act of 1998 (COPPA). It argued that the company had failed to provide sufficient notice to on its website about the information it collects from children, how it uses that information, and its disclosure practices. Furthermore, it contented that the company did not have reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. It also considered that VTech had failed to provide direct notice of its policies to parents. The parties settled for $650,000 and VTech agreed to implement a comprehensive data security program to ensure future compliance with COPPA and to protect consumers’ personal information. This was the first ever connected toy privacy and data security case for the FTC. It remains to be seen what impacts it will have in the future.
What would have been the outcome under the GDPR?
The General Regulation on Data Protection or GDPR (Regulation n°2016/679) came into force in the EU on May 25th, 2018. It has changed the legal landscape of personal data protection legislation namely by imposing more stringent requirements and conditions on data controllers and processors. Let us underline that companies based in the United-States may be subject to the GDPR and must be in compliance.
When considering the VTech case, it is most likely that, had the case been brought in the EU, the arguments presented, and the outcome would have been similar of that of the FTC’s case. This leads to the question: how so?
VTech’s lack of adequate security measures would have been a violation of its security obligations under Article 32 of the GDPR. The latter states that the “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” which namely includes “pseudonumisation and encryption of the personal data (…) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services” and so forth. It further would have been a violation of the security principle (Article 5 of the GDPR).
Children’s personal data is very strictly regulated under the GDPR. The processing of a child’s data will be lawful where the child is 16 years. This also applies under COPPA. Under Article 8 of the GDPR, if the child is less then 16 years old, consent must be given or authorized by the holder of parental responsibility over said child. Moreover, specific information regarding the processing activities must be given, and the information must be adapted to a child (Article 12 of the GDPR). VTech would not have been considered as complying with the information requirement in light of the FTC’s case.
What actions have been taken?
In 2017, the President of the United States issued an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure which underlined the need for reinforced and up-to-date cybersecurity policies. It directed the Secretaries of Commerce and Homeland Security to lead “an open and transparent process to identify and promote action by appropriate stakeholders” to better manage cybersecurity risks namely regarding botnets. The Executive Order lead to a Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats. The Report identifies 5 goals (ex: promote innovation in the infrastructure for dynamic adaptation to evolving threats, increase awareness and education across the ecosystem…) each explaining several actions which can be taken to reach said goal. It remains to be seen how these goals and actions will be implemented in practice.
In the EU, several actions have also been taken regarding cybersecurity such as the EU Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union, also known as the Network and Information Security (NIS) Directive which came into force in May 2018, the proposal for a new Directive regarding the combating of fraud and counterfeiting of non-cash means of payment which is currently under study in the EU Parliament, or the Cybersecurity Act on which the European Council just approved its general approach.
All these actions underline the increasing importance of cybersecurity and the need for an effective framework for the IoT.
Mathias Avocats remains at your disposal for any further questions you may have namely regarding cybersecurity, personal data protection or the digital sector in general. The firm can also accompany you in your projects.