Updated: 10th October 2017
Hong Kong electronic toy maker VTech hit the headlines in 2015 for the exposure of the personal details of nearly 11 million accounts including 6.37 million children. The incident resulted in a class action suit in the Northern District of Illinois, Eastern Division, USA. The initial claim was dismissed in July 2016 because the plaintiffs had failed to prove their fears of identity theft. In a revised claim, the plaintiffs wanted the court to assess damages on the basis that the breach reduced the value of their purchases but VTech is arguing that the online services that were breached (Learning Lodge and Kid Connect) were launched after the toys were released. As the ruling in July 2016 said that registration for services was separate from the purchase of the toys, the revised claim looks likely to fail.
This highlights one of the differences between USA and European Union law about personal data privacy. In the EU, a data leak must be reported and is punishable, with no proof of damage being necessary. In Hong Kong, the PDPO only allows the Privacy Commissioner for Personal Data to issue an Enforcement Notice for a first breach.
Yui Kee Chief Consultant Allan Dyer commented, "The number and size of data breaches that are being reported make it clear that many organisations are not protecting people's personal data adequately. The message from this case for commercial companies is clear: security to protect customers' personal data is a waste of money because there will be no financial penalty for a breach. If we want to strengthen our defence against identity theft and other attacks using personal data, we must demand stricter personal data protection laws."