The FTC’s COPPA Guidance does an admirable job explaining the basics of what a business needs to do to comply with COPPA, but is vague as to how a business must protect personal information collected from children. The COPPA Guidance requires that a company use “reasonable procedures” to protect such information from unauthorized access or use, but does not explain what “reasonable procedures” means. This is, no doubt, by design; a specific list of security measures would quickly become obsolete and unhelpful.
The settlement contains a requirement that VTech establish and maintain a “comprehensive data security program,” which contains familiar elements such as identification of security risks, designation of employees responsible for security, and testing and evaluating security measures for effectiveness. The allegations of the FTC’s complaint, highlighted in the accompanying press release, make some additional, specific suggestions of what the FTC believed VTech should have done:
- Segment and protect its live website from its test website environment.
- Maintain an intrusion detection system.
- Monitor unauthorized attempts to obtain personal information.
- Complete vulnerability and penetration testing to protect from widely-known vulnerabilities.
- Implement employee training on data security.
- While the FTC does not prescribe certain security measures, companies should expect that the FTC will be looking for these steps as a bare minimum when evaluating the “reasonableness” of a security program under COPPA.