BlogLine

FBI Issues Warning About the Dangers of Internet-Connected Toys

7/21/17

By: Jennifer Lee

The FBI is alerting parents to the risks and dangers associated with bringing an internet-connected smart toy into their homes and their children’s lives. Earlier this week, the Bureau’s Internet Crime Complaint Center (IC3) issued a consumer notice regarding internet-connected toys. It urges parents to “consider cyber security prior to introducing smart, interactive, internet-connected toys into their homes or trusted environments.”

Internet-connected toys can pose a privacy and cybersecurity threat to families who choose to bring such toys into their home as many of these toys are designed to be interactive and are increasingly incorporating technology that learn and tailor their behavior based on such interactions.

For example, most of these toys can carry a conversation, and in fact, this is one of the selling points of such internet-connected toys like CloudPets and Hello Barbie. But this feature requires a microphone. According to the IC3, it is very possible—and even likely—that the microphones are on all the time, listening to not only children’s chatter, but everything else that is happening in the background in its vicinity. Furthermore, it is also almost certain that the data the toys record get transmitted to a remote server. This is a cause for concern because most parents are unaware of what data is being transmitted, to whom the data is transmitted, or the cybersecurity practices, privacy policies, and data retention policies of its recipient.

Another risk that the IC3 warned parents of is that the personal identifiable information (PII) of their children could be collected in connection with their use of these toys. If the toy maker or the company responsible for collecting and maintaining the information suffers a data breach, such PII —including children’s names, physical addresses, and phone numbers —may be leaked, which could result in identity theft. If the leaked data contains GPS data, it could allow someone to pinpoint the child’s physical location.

The increase in popularity and sales of internet-connected toys and the ubiquity of data breaches pose a new set of potential lawsuits for toy-makers. Whereas before, toy makers mostly worried about product liability claims stemming from alleged manufacturing or design defects, now, toy makers face potential privacy and data breach litigation as well.

In fact, one such lawsuit was already filed against Mattel and ToyTalk for Mattel’s interactive doll, Hello Barbie, in December 2015. The purported class action complaint, filed in Los Angeles County Superior Court, alleged that the defendants did not disclose ToyTalk’s plan to and practice of using children’s conversation data for data mining and other purposes. The complaint further alleged that the defendants did not have sufficient cybersecurity protections in place to fend off attacks from hackers and to prevent them from gaining unauthorized access to the data collected and to the toys themselves, which would allow them to interact with children through the toys without anyone’s knowledge.

Although the Hello Barbie case was dismissed with prejudice at the plaintiff’s request, it is not a one-off situation. Because more and more toys are becoming internet-connected and data breaches are on the rise, a new wave of privacy and data breach lawsuits involving internet-connected toys, especially in the form of class actions, are on the horizon.

To minimize the risk of becoming embroiled in such expensive litigation, makers of internet-connected toys should be intentional about the quality and quantity of data they collect from children to ensure that they only collect data that is absolutely necessary for the proper function of the toy, and if it must collect PII, anonymize any PII collected. In addition, toy makers should audit their privacy policies and data retention policies to confirm compliance with applicable federal and state regulations, such as COPPA. Finally, toy makers should enact and adopt adequate cybersecurity measures and protocols to prevent any unauthorized access to the data collected and to the toys themselves.

If you have any questions regarding privacy and data breach litigation or how your business can be prepared for and respond to a cyberattack, please contact Jennifer Lee at jlee@fmglaw.com.