Settlement Offers Guidance on What “Reasonable” Security Means Under COPPA

The FTC’s COPPA Guidance does an admirable job explaining the basics of what a business needs to do to comply with COPPA, but is vague as to how a business must protect personal information collected from children. The COPPA Guidance requires that a company use “reasonable procedures” to protect such information from unauthorized access or use, but does not explain what “reasonable procedures” means. This is, no doubt, by design; a specific list of security measures would quickly become obsolete and unhelpful.

A recent settlement with app-maker VTech offers some insight on how FTC conceives of “reasonable” security measures. The FTC alleged that VTech had represented that data related to parents and children would be transmitted in encrypted format, when in fact such data was often not encrypted. The FTC also alleged that VTech violated COPPA by not having a COPPA-compliant privacy policy on its website that explained how it collected, used, and disclosed data gathered from children. Lastly, the FTC alleged that VTech failed to abide by COPPA’s requirement to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” Its failure to do so, in this case, led to a hacker accessing non-encrypted data of both children and parents.

The settlement contains a requirement that VTech establish and maintain a “comprehensive data security program,” which contains familiar elements such as identification of security risks, designation of employees responsible for security, and testing and evaluating security measures for effectiveness. The allegations of the FTC’s complaint, highlighted in the accompanying press release, make some additional, specific suggestions of what the FTC believed VTech should have done:

  • Segment and protect its live website from its test website environment.
  • Maintain an intrusion detection system.
  • Monitor unauthorized attempts to obtain personal information.
  • Complete vulnerability and penetration testing to protect from widely-known vulnerabilities.
  • Implement employee training on data security.
  • While the FTC does not prescribe certain security measures, companies should expect that the FTC will be looking for these steps as a bare minimum when evaluating the “reasonableness” of a security program under COPPA.

Leave a Reply

Your email address will not be published. Required fields are marked *