Ashley Madison, Sony, TalkTalk and now, VTech. The toy giant, most notable for manufacturing digital devices for young children, was hit by a sizable cyber attack last month. It is now believed that the personal information of more than six million children – including names, dates of birth, details of gender, images of children and even and audio recordings – were stolen.
Cyber-security experts have accused VTech of not implementing the appropriate measures against a possible cyber attack. One told BBC News that the company’s practices in protecting their customers data were “unforgivable”.
This latest data breach is shocking, not least to the parents who have purchased VTech tablet’s or camera’s for their children.
2015 has been the year that cyber-crime has hit new and unprecedented heights. Not long ago incidents such as these were considered rare occurrences brought about by criminal organisations, but now, high profile hacks have hardened the publics opinion against the companies affected. Many now state that large consumer brands are failing in their obligation to protect customer data.
This was the case in the high-profile TalkTalk hack, where the company was flooded with calls from angry customers looking to cancel their contracts. Some accused TalkTalk of breaking their duty of care. Others said that TalkTalk failed to honour its contract with customers, neglecting its duty to protect and preserve their customer’s information.
TalkTalk disputed these claims and imposing hefty termination fees unless a specific customer could prove financial loss as a result of the hack. The reception from customers was predictably frosty.
For consumers, such as those affected by the VTech hack, this stance, unfortunately, is entirely consistent with the law. The position outlined by the Data Protection Act is that a consumer can claim for damages under ‘section 13’, but will only generally get them if that person had suffered a financial loss due to the breach..
It is currently no longer a case of if a data controller will suffer a cyber-attack, but when. Even when all reasonable measures are taken, there may still be an attack, and subsequently, a breach, for which a consumer would not be entitled to compensation.
In the case of VTech, it is too early to say if the company had taken all reasonable measures to avoid data being stolen in this way. The existing law is being tested to greater extents as of late, but when dealing with so many, small sums of compensation, a single consumer is likely to be dissuaded from pursuing litigation given the legal costs they would be expected to pay.