A recent data breach that affected a popular manufacturer of technology products for children has raised privacy concerns about how companies protect children’s data. VTech reported last week that sensitive data – including names, emails, passwords and photos – of approximately 6 million parents and children was stolen, 300,000 of which were Canadians.
The number of data breaches has steadily increased in the last few years and with that a growing concern about the potential to damage a brand’s reputation, class action lawsuits, financial losses, or worse. A recent study conducted by the Ponemom Institute on the cost of data breaches revealed that the average total cost of a data breach is a whopping $3.79 million! Even though Canada was identified as having a lower probability of being affected by a data breach in comparison with other countries such as Brazil and France, it had one of the highest per capita costs of a breach.
Data breaches often lead to financial losses and, more importantly, significantly lowers consumer confidence for brands - and the breach suffered at VTech is no different. However, this particular incident shines the spotlight on the growing threats to children’s data privacy. Children’s data is considered to be sensitive information under Canadian privacy law and so should be given a high degree of protection. CMA’s Code of Ethics and its Guidelines for Marketing to Children and Teenagers also provide marketers with clear guidance on appropriate business practices when marketing to children.
An important lesson learned from the VTech incident is that account registration services, especially for services and products directed at children, should use SSL/TLS (Secure Sockets Layer/Transport Layer Security), which encrypts data sent between a user's computer and a service. It's considered a high risk to not enable SSL/TLS, particularly when registering accounts with personal information and passwords.
From a legal perspective, an investigation by Canada’s Office of the Privacy Commissioner (OPC) could take place given that Canada’s privacy laws may provide the Commissioner with the powers to investigate foreign companies in some circumstances. Certainly, past OPC findings about foreign-based businesses dealing with Canadians’ personal information have taken a strong position that the Commissioner does have jurisdiction where these matters involve the data and privacy of Canadians.
Note: Breach notification regulations are expected to be passed in 2016 which will create additional responsibilities for organizations and the potential for penalties. CMA will update members as more information becomes available.
By: CMA Advocacy Team