On 23 November 2015, Hong Kong based toy company VTech was
alerted by a journalist that its database of approximately 5
million customer (parent) accounts worldwide and over 6 million
children's profiles had been hacked. This included personal
details such as name, gender and birth date. Perhaps most
disturbingly, there have been unconfirmed reports that amongst the
1.2 million accounts that had the Kid Connect app enabled, audio
recordings, photos and chat messages were also accessed.
VTech sells interactive toys and nursey equipment such as baby
monitors and children's laptops which encourage the creation of
online accounts to make profiles and to download updates and
The company has been quick to assure the public that no credit
card, social security numbers or other financial data has been
exposed, and has said that there is no indication that the data has
It is not clear that VTech has yet contacted the Office of the
Australian Information Commissioner (OAIC) but the OAIC has
reported that it has been in contact with the equivalent Hong Kong
regulator and will be working together with them to investigate
this matter. In the case of the Ashley Madison data breach, the
OAIC is also working with the Office of the Privacy Commissioner of
Canada on a joint investigation because the operator of the website
is based in that country.
All organisations that carry on business in Australia or have an
'Australian link' are covered by the Privacy Act, and
penalties for breach of the Act include fines of up to $1.7
million. A data breach of itself would not be enough to establish a
breach of Australian privacy laws. It would need to be shown that
one of the Australian Privacy Principles (APPs) was actually
breached. Without knowing the details or circumstances that led to
the information being collected and ultimately exposed, possible
breaches that could be investigated include:
that the company failed to take reasonable steps to ensure that
personal information was held securely
that it did not have sufficient consent to collect that
information from the individual and that it stored the information
for longer than necessary for the purposes it was collected.
The OAIC's data breach guidelines contemplate that
businesses should notify the OAIC (and affected persons) if the
breach involves a 'real risk of serious harm'. Whilst this
is currently a voluntary requirement, the government released an
exposure draft on 4 December 2015, proposing that this notification
requirement become mandatory.
All businesses that collect personal information should consider
what could potentially be exposed if their databases were hacked.
Was such information legitimately collected and do you still have
sufficient reasons to keep? Do you have a data breach response
plan, and are you taking reasonable steps to ensure that the
information is held securely so your business is not the next in
This publication does not deal with every important topic or
change in law and is not intended to be relied upon as a substitute
for legal or other advice that may be relevant to the reader's
specific circumstances. If you have found this publication of
interest and would like to know more or wish to obtain legal advice
relevant to your circumstances please contact one of the named
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Privacy issues require a considered strategy where sets of big data come with ever-increasing regulatory obligations.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).