When Kids’ Toys Are Listening, the FTC is Watching

Chinese toymaker VTech recently settled charges with the FTC in the first-ever case involving internet-connected toys. VTech became a victim of cyber attackers back in 2015, when hackers got access to the company’s online database and compromised accounts of over 11 million, which included data for about 6.37 million children.

Michael Bahar, head of Eversheds Sutherland’s U.S. Global Cybersecurity and Privacy Practice, and former General Counsel to the House Intelligence Committee, and Mitzi L. Hill, technology partner at Taylor English Duma LLP, sat down with IPWatchdog to discuss this case and related concerns including: (1) how the FTC’s Children’s Online Privacy Protection Act (COPPA) update indicates a larger regulatory effort over Internet of Things; (2) why smart devices are more vulnerable to security threats and privacy issues than ever; (3) what kind of regulatory and legal efforts manufacturers can expect; and (4) how businesses can stay compliant with the FTC and protect themselves against cyber breaches.

“IoT can be compared to an ancient temple in which regulatory and cyber threat booby traps abound. Business who employ ‘smart components’ to boost efficiency or to create innovative new products must take the time to understand what it is they are introducing, and what the attendant regulatory and cyber threat risks are,” explained Bahar. “The FTC is at the forefront of enforcing privacy and cybersecurity, and its recent COPPA actions indicate that far from easing up, they are stepping up pressure on all manufacturers—not just those that make toys—to make sure they understand the threat and regulatory implications of the smart components they are employing.”

Today, the key to compliance when dealing with IoT is to “know thyself,” Bahar explained. In other words, take the time to understand what truly is in these smart components, not only from a technical perspective but a legal one. In addition, make sure to make good on your promises.  If you tell consumers that you are protecting their data or their privacy in certain ways, make sure you are making good on that commitment.

For some time now, it has been clear that websites and apps are covered by COPPA if directed to children under 13. The expansion to IoT devices is potentially much broader because the IoT is growing so quickly and includes so many devices with different functions. This means applying a COPPA framework to many thousands more potential outlets. According to Hill, for instance, do you know if your smart frig or its functions are directed to under-13s? Or is there a separate user account on a connected device that gathers personal information from different family members, including children? The universe of COPPA compliance may not be limited, in the future, to cartoon-themed or other clear “kids’ programming” services.

“Prior to the IoT, many of the devices we held either belonged to a business (think of your work laptop), or were on lease from a corporate provider for our personal use (like your cell phone),” she said. “Those owners and providers added security to their networks to protect themselves, and it had the beneficial effect of protecting users.”

For user-owned and provided devices, the numbers were limited (home router and laptops or desktops, tablets). They all looked and acted like computers, and felt like things we should protect because we transmitted credit card info via them or stored tax returns on them. Today, IoT means a proliferation to hundreds of thousands of new types of connected devices – cars, thermostats, doorbells, home appliances, etc. – that outnumber the devices in the old days, according to Hill. In addition, many are not the kind of thing we intuitively understand to require protection, which creates new ways for hackers to get at the otherwise-protected devices, using those “not-computers” that are proliferating rapidly.

So, what kind of regulatory and legal efforts can other types of manufacturers can expect? Outside COPPA, healthcare, and financial services we in the U.S. have few specific laws regarding data privacy and security.

“I think that shows that we are historically ‘hands off’ from a regulatory standpoint, except in high-stakes areas,” she explained. “The FTC’s work in this area largely has been to fill the void created by having so few actual laws, and focuses on consumer protection against unfair trade practices. I think they will continue their focus on making clear and accurate disclosures to consumers, and then abiding by them. Any IoT manufacturer should develop and comply with a good consumer privacy policy.”

These days, the FTC publishes a lot of guidance in this area, and many of these questions require a detailed conversation with a lawyer. In general, to comply with COPPA according to Hill, be sure you have verifiable parental consent if you collect information from children. To protect against cyber breaches, know where your data are and what they are, update your network and hardware and software appropriately, use a firewall and passwords, and have an incident response plan that you can deploy if you ever do suffer an intrusion or another incident.

She added, “In happier news, those steps will also help protect and preserve your company’s own ‘secret sauce’ and position you better for growth and investment.”