[BreachExchange] You Can't Hide Behind Your EULA

Tue Feb 23 20:53:48 EST 2016

https://www.cooley.com/72847

Companies trying to shift liability for data breach by hiding catch-all
exclusion clauses in End User Licence Agreements (EULAs) can learn from one
company's latest antics.

What's happened?

At the end of last year, Toy company VTech was subject to a data security
breach which cost them the data of 6.3 million children and and 4.8 million
parents. The data compromised included photos, voice messages and chat
conversations between the adults and their children. Since the breach,
VTech changed its Learning Lodge Software's EULA to include an exclusion of
its liability for data breach, shifting the burden to parents to assume
full responsibility for using its software:

"You acknowledge and agree that any information you send or receive during
your use of the site may not be secure and may be intercepted or later
acquired by unauthorised parties. You acknowledge and agree that your use
of the site and any software or firmware downloaded therefrom is at your
own risk."

What's the big deal?

Apart from being a bit mean, it goes against the basic principles of data
protection and consumer law in the UK. The Data Protection Directive 95/46
EC places obligations on the data controllers and processors to take
appropriate steps to protect the information from unauthorised disclosure
or access, the burden is not on the data subject. Further, the Consumer
Rights Act 2015 ("the Act") was drafted with the aim of increasing fairness
and transparency for consumers, which includes in respect of digital
content. The Act "greylists" certain limitations of liability and considers
"transferring inappropriate risks to consumers" unfair and potentially
unenforceable. Were this clause to be analysed in conjunction with the Act,
it is unlikely the Competition and Markets Authority and/or Trading
Standards would let this slip thought the net.

What now?

In response, the ICO stated that when handling people's personal data,
organisations are responsible for keeping that data secure. It is unclear
whether there will be formal consequences for VTech, but if they do not
change the wording, they could come under further scrutiny. Currently, the
ICO can impose limited fines. However, under the upcoming General Data
Protection Regulation, the maximum fine for a breach of data protection law
would rise to up to 4% of a company's worldwide turnover.
Organisations need to take care when drafting EULA and similar terms;
blanket exclusions of liability which place unfair burdens on the consumer
are likely to be seen as illegal and unenforceable and could have serious
repercussions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160223/f6ca0896/attachment-0001.html>