Settlement Offers Guidance on What “Reasonable” Security Means Under COPPA

Jeremy Meisinger
Foley Hoag LLP - Security, Privacy and the Law
Contact
LinkedIn
Facebook
X
Send
Embed

Foley Hoag LLP - Privacy & Data Security

The FTC’s COPPA Guidance does an admirable job explaining the basics of what a business needs to do to comply with COPPA, but is vague as to how a business must protect personal information collected from children. The COPPA Guidance requires that a company use “reasonable procedures” to protect such information from unauthorized access or use, but does not explain what “reasonable procedures” means. This is, no doubt, by design; a specific list of security measures would quickly become obsolete and unhelpful.

A recent settlement with app-maker VTech offers some insight on how FTC conceives of “reasonable” security measures. The FTC alleged that VTech had represented that data related to parents and children would be transmitted in encrypted format, when in fact such data was often not encrypted. The FTC also alleged that VTech violated COPPA by not having a COPPA-compliant privacy policy on its website that explained how it collected, used, and disclosed data gathered from children. Lastly, the FTC alleged that VTech failed to abide by COPPA’s requirement to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” Its failure to do so, in this case, led to a hacker accessing non-encrypted data of both children and parents.

The settlement contains a requirement that VTech establish and maintain a “comprehensive data security program,” which contains familiar elements such as identification of security risks, designation of employees responsible for security, and testing and evaluating security measures for effectiveness. The allegations of the FTC’s complaint, highlighted in the accompanying press release, make some additional, specific suggestions of what the FTC believed VTech should have done:

  • Segment and protect its live website from its test website environment.
  • Maintain an intrusion detection system.
  • Monitor unauthorized attempts to obtain personal information.
  • Complete vulnerability and penetration testing to protect from widely-known vulnerabilities.
  • Implement employee training on data security.
  • While the FTC does not prescribe certain security measures, companies should expect that the FTC will be looking for these steps as a bare minimum when evaluating the “reasonableness” of a security program under COPPA.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Foley Hoag LLP - Security, Privacy and the Law

Written by:

Foley Hoag LLP - Security, Privacy and the Law
Foley Hoag LLP - Security, Privacy and the Law
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Foley Hoag LLP - Security, Privacy and the Law on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide