Australia: VTech database breach exposes data worldwide from both parents and children

On 23 November 2015, Hong Kong based toy company VTech was alerted by a journalist that its database of approximately 5 million customer (parent) accounts worldwide and over 6 million children's profiles had been hacked. This included personal details such as name, gender and birth date. Perhaps most disturbingly, there have been unconfirmed reports that amongst the 1.2 million accounts that had the Kid Connect app enabled, audio recordings, photos and chat messages were also accessed.

VTech sells interactive toys and nursey equipment such as baby monitors and children's laptops which encourage the creation of online accounts to make profiles and to download updates and further content.

The company has been quick to assure the public that no credit card, social security numbers or other financial data has been exposed, and has said that there is no indication that the data has been misused.

It is not clear that VTech has yet contacted the Office of the Australian Information Commissioner (OAIC) but the OAIC has reported that it has been in contact with the equivalent Hong Kong regulator and will be working together with them to investigate this matter. In the case of the Ashley Madison data breach, the OAIC is also working with the Office of the Privacy Commissioner of Canada on a joint investigation because the operator of the website is based in that country.

All organisations that carry on business in Australia or have an 'Australian link' are covered by the Privacy Act, and penalties for breach of the Act include fines of up to $1.7 million. A data breach of itself would not be enough to establish a breach of Australian privacy laws. It would need to be shown that one of the Australian Privacy Principles (APPs) was actually breached. Without knowing the details or circumstances that led to the information being collected and ultimately exposed, possible breaches that could be investigated include:

• that the company failed to take reasonable steps to ensure that personal information was held securely
• that it did not have sufficient consent to collect that information from the individual and that it stored the information for longer than necessary for the purposes it was collected.

The OAIC's data breach guidelines contemplate that businesses should notify the OAIC (and affected persons) if the breach involves a 'real risk of serious harm'. Whilst this is currently a voluntary requirement, the government released an exposure draft on 4 December 2015, proposing that this notification requirement become mandatory.

All businesses that collect personal information should consider what could potentially be exposed if their databases were hacked. Was such information legitimately collected and do you still have sufficient reasons to keep? Do you have a data breach response plan, and are you taking reasonable steps to ensure that the information is held securely so your business is not the next in the spotlight?

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.