VTech fondleslabs for kids 'still vulnerable' despite sanctions New InnoTab child learning devices still have the same security flaw first found by researchers at Pen Test Partners two years ago. The issues persist even after manufacturer VTech was fined $650,000 by US watchdogs at the Federal Trade Commission (FTC) via a ruling published earlier this week. The settlement deal came after …
.As well as paying the fine, VTech agreed to apply privacy and security requirements so that it complied with the Children's Online Privacy Protection Act (COPPA) and the FTC Act
How nice of them, so here again we have an example of a fine being required to get people to AGREE to comply with something they are meant to legally comply with. Clearly our sanctions regime isn't enough, time to consider holding executive directors personally responsible for the actions of the company they manage.
Money isn't always the solution, assigning responsibility to senior management and making them lawfully responsible might be.
Just a plain of stock statement from them for something that has been reported before.
I'm sure there must be a template for these statements.
They don't want to do anything about the issue because that would cost money. They won't fix it until they are told to be a regulator or they get fined.
"the deal means that VTech is "required to implement a comprehensive data security program, which will be subject to independent audits for 20 years" as well as "misrepresenting its security and privacy practices"."
A deal that requires them to misrepresent their security and privacy practices doesn't sound all that great.
The same tests on a newly purchased InnoTab reveal that the same hack is still possible and nothing had been done to address the problem, according to Pen Test Partners' Ken Munro.
Nothing will change until the cost of doing nothing out ways the cost of fixing the problem.
The idea is that GDPR should do Just that.
VTech would be inline for (at the lower rate) is $37.1million which is 20% of their profit, but if it makes the higher rate fine they are looking at upto 40% of their profit, which is likley to scare any board into action.
BTW if amazon gets hit with a maximum lower rate GDPR fine it wipes out ALL their profit.
Did you mean turnover, which will wipe out Amazons profit?
"From a theoretical maximum of £500,000 that the ICO could levy (in practice, the ICO has never issued a penalty higher than £400,000), penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher."
https://www.itgovernance.co.uk/dpa-and-gdpr-penalties
Sadly just because they can, doesn't mean they will - I'm getting the impression that the ICO wont, can't vouch for other watchdogs.
Typical of a HK based business.
you only have to speak to the CEO and board members of any company in HK to understand that they consider "IT" at the same level as Janitorial services.
They think paying 16k-20K HK a month is too much for IT staff who only need a secondly ed., and that if you don't buy kit from places like Taobao and brands like TP-Link then you are budgeting poorly.
I kid you not..
Add into that mix that most males who can use a computer in HK seem to think they are some sort of IT geniuses just because they can write an app or stick some cat 6 cables in the back of a router and the stage is set.
Then you have to deal with idiots at the top who get so deeply involved into writing software, that they start dictating things like:
"store the date as text" in the database because we won't need it as a date....
"make the spacing on the HTML page match this exactly"
Then the programmers have to go and patch applications to parse dates out manually using own built libraries, because it turns out 5 months later it might be useful, now the stage is set for all sorts of data injection.
During this continual process of piss poor mind changes they are master-bating about "waterfall diagrams" "SPRINT" , "KPI" and any other buzz terms they have read in their glance through software development....
but not a single code repository in sight, because they did not get to that part of the process or it's not "buzz wordy" enough.
Don't even get me started that many of them consider working on their LIVE systems as normal.
VTechs "privacy" policy was the only thing updated, not their "security" policy.
Their privacy policy clearly mentions data collection and that parents must consent.
As far as the FTC is concerned, I have very little faith.
I have made formal complaints to the FTC and the FTC representative told me they do not take action or investigate individual claims.
Their only function is to document the claim(s) and I (assume) they only take action when multiple claims are reported for the same offense.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
