PIPEDA Report of Findings #2018-001: Connected toy manufacturer improves safeguards to adequately protect children’s information
The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint following a global data breach at VTech Holdings Limited, which potentially compromised the personal information of over 316,000 Canadian children and 237,000 Canadian adults. The investigation found significant deficiencies in VTech's information security safeguards, including a lack of testing, inadequate access controls, cryptographic issues, and absence of security monitoring. Although VTech contravened PIPEDA Principle 4.7, the OPC concluded the matter was resolved because VTech implemented timely and comprehensive measures to address the breach and improve its security.
- Adequacy of information security safeguards for children's data
- Failure to test for and mitigate known vulnerabilities
- Insufficient access controls and cryptographic protection
- Lack of comprehensive security management program
Complaint well-founded and resolved
VTech's safeguards were inadequate given the sensitivity and volume of data, particularly concerning children, and they failed to protect against known vulnerabilities. However, the company implemented comprehensive remedial measures following the breach, resolving the identified issues.
AI-generated summary for reference only. Always verify against the official decision ↗
VTech implemented comprehensive security improvements, including regular testing, enhanced access controls and cryptography, increased monitoring, and a new security management framework.
- Principle 4.7 PIPEDA
- Principle 4.7.1 PIPEDA
- Principle 4.7.2 PIPEDA
- Principle 4.7.3 PIPEDA
This summary is informational only and not legal advice.