• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Playing with cyber trouble: toys and the internet of things

The concept of the ‘Internet of Things’ (‘IoT’) has become a driver of growth in technology production in recent years, as manufacturers have sought to embed internet connectivity into everyday objects and gadgets, hoping to ride the next wave of tech-industry hype. Toymakers are no exception, and as the tastes of their target demographic – kids – evolve, so too must their toys. Today children grow up taking the internet and smartphones for granted, so it makes perfect sense for manufacturers to build some 21st Century pizzazz into their toys – or face high pitched accusations of being ‘boring’. Cue the current eccentric range of ‘smart’ toys, including Lego’s programmable ‘Mindstorms EV3’ smartphone controlled robots, or Sphero’s Star Wars themed BB-8 Droid which exudes Jedi-levels of coolness.

However, in the rush to gain early market traction (or keep development costs down), it seems various toy manufacturers have failed to ensure strong cybersecurity protocols are being thoroughly baked into their products. Consequently, a troubling trend emerging recently has been the spate of cyberattacks deliberately targeting ‘smart’ toys. The most high profile victim so far appears  to be VTech, a global supplier of electronic learning products, which revealed in November that various services, including their proprietary app store database, had been infiltrated by hackers.

Details of VTech hack

According to VTech, the cyberattack occurred on or around 14 November 2015, targeting the company’s ‘Learning Lodge’ app store customer database, ‘Kid Connect’ servers and ‘PlanetVTech’ website[i]. In relation to Learning Lodge, the company revealed that over 4.8 million parental user accounts had been compromised, along with over 6.3 million child accounts (of which 1.2 million had the Kid Connect service enabled).[ii] Additionally, in relation to PlanetVTech, the company admitted that around 235,000 parental accounts, and 227,000 child accounts had been compromised[iii]. Initial reports suggest the method of attack was a simple SQL injection (whereby an attacker inserts structured query language statements into a web form, attempting to modify, extract or remove information from the underlying database)[iv]. According to cybersecurity experts, this should have been picked up by any standard security testing protocols.

In terms of stolen account data, the Learning Lodge and PlanetVTech profiles included a mixture of name, email address and password details, plus IP address and download history, while child profiles contained the child’s name, gender, birthdate and avatar details. However, of extreme concern to many parents was the loss of Kid Connect data, which along with user account information, included child profile photos, chat logs (including audio recordings of conversations) and photo files sent by children and their parents. In total, over 190 GB of photos were hacked, although it should be noted that no credit or debit card details were accessed during the breach. News of the vast data breach immediately triggered alarm from parents, law enforcement and business stakeholders, amid fears the stolen data could appear on underground black markets, where there is demand from criminal organisations for this type of data.

Consequences

In short, the incident has been a PR disaster for VTech, shares in which were temporarily suspended from the Hong Kong Stock Exchange following the hack becoming public. Along with the reputational damage incurred from the loss of sensitive personal information, VTech has been forced to take various services offline, as a precaution. Matters got worse on Christmas day, as many children who unwrapped new VTech devices, found they were unable to play with their new toys (due to the offline services and an inability to register the devices), much to the irritation of many parents, who took to Facebook to publicly vent their frustration at the company.

Dubious T&Cs

In a further, somewhat unorthodox development, VTech has recently come under heavy media scrutiny for a legal update the company issued to the Learning Lodge Terms and Conditions on 24 December 2015 (i.e. Christmas eve), which attempted to pass responsibility for hacking incidents, from VTech, to the consumer. Examples of these provisions are set out below:

  • "You acknowledge and agree that you assume full responsibility for your use of the site and any software or firmware downloaded.”
  • "You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties.”
  • "You acknowledge and agree that your use of the site and any software or firmware downloaded there from is at your own risk."

It remains to be seen whether these new terms are actually enforceable. In the UK, the Consumer Rights Act 2015, determines that ‘unfair’ consumer contracts are prima facie unenforceable. A ‘fairness test’ is used to determine whether a particular term is unfair – essentially, the test seeks to prevent consumers being put at a disadvantage by considering whether there is a significant imbalance to the detriment of the consumer. Additionally, VTech’s right to unilaterally vary the terms, with the effect of reducing the consumer’s rights, without a valid reason, is also potentially unfair.

Problems for other toy manufacturers

Cybersecurity incidents within the toy industry are not confined to VTech. Last year, Mattel’s internet connected doll, ‘Hello Barbie’ was also criticised by security researchers, for inadequate security protocols. The doll, which syncs with a companion smartphone app, and connects to a Wi-Fi network, contains a built-in microphone, allowing children to talk to the Barbie, in a Siri-like manner, whereby conversation is instantly processed over a server, allowing the doll to respond in real-time to the child. However, it transpired that there were various authentication vulnerabilities, both server-side and within the toy’s companion app, in addition to vulnerability to the POODLE exploit, which was first disclosed in 2014. The combined effect of these vulnerabilities (which have since been patched by the manufacturer), could have included a determined hacker being able to intercept and redirect the doll’s voice traffic, replacing responses with inappropriate content, and taking control of the microphone, potentially allowing the doll to be used to eavesdrop on the user.

Meanwhile, other toy industry titans experiencing recent cybersecurity incidents include SanrioTown.com, an online community for Hello Kitty fans, (which exposed the user account details of around 3.3 million users), along with Sony, who previously experienced a well-documented cyberattack knocking out the PlayStation Network, to the dismay millions of users – and the UK’s Information Commissioner, who fined Sony £250,000 for the incident.

Data protection compliance issues

The upward trend in IoT related cybersecurity incidents demonstrates that manufacturers of IoT connected devices and toys must ensure devices are thoroughly screened for cybersecurity vulnerabilities, before going to market. Along with bad publicity, there is a real risk of financial damage to businesses ignoring these warnings.

In the UK, although there is no specific data protection law concerning children or internet connected toys aimed at children, it is generally accepted that there is a higher standard expected of data controllers while handling children’s personal data. Indeed, in May 2015, the ICO launched a review of children’s websites and apps. Commenting on principles under the Data Protection Act 1998, Steve Eckersley, ICO Head of Enforcement, stated: “In the UK, we’re clear that apps and websites should not gather more personal data than they require, and operators should be upfront about how and why they collect information and how they use it. These principles are true whatever the audience, but they are especially true where children are concerned.” The review conducted by the ICO, in a joint collaboration with the Global Privacy Enforcement Network (GPEN), saw 29 data protection regulators from around the world examine over 1,494 websites and apps aimed at children, with a view to how personal information was collected and shared:

  • Only 31% of children’s sites / apps had effective controls in place to limit the collection of personal information from children.
  • 50% of children’s sites / apps shared personal information with third parties.
  • 71% of children’s sites / apps did not offer an accessible means for deleting account information.

Under the Data Protection Act 1998, the maximum fine the ICO can impose for the most serious data breaches is £500,000. However, at EU level, the long awaited General Data Protection Regulation (GDPR) has finally been agreed and is likely to become law in 2018. Under the new regime, businesses will be required to notify the relevant data protection authority within 72 hours of becoming aware of certain data breaches, while maximum fines will be dramatically increased, as set out below:

  • €10 million or, if an undertaking, 2% of total worldwide annual turnover in the preceding financial year for breaches by data processors; and
  • €20 million or, if an undertaking, 4% of total worldwide annual turnover in the preceding financial year for breaches by data controllers.

Lessons

To conclude, businesses should remember that just because a smart toy is aimed at a younger demographic, this is no excuse for not implementing industrial standard security protocols and a clearly defined policy in relation to collection of user data. Regulatory penalties for failure to comply are becoming more serious, while parents are likely to be very hostile towards any news of a cybersecurity incident affecting their children.

Contact our experts for further advice

Calum Murray