William Gamble, Owner, EMS
Kayla has a new friend. CloudPets produces a toy that talks. It talks with the voice of ‘friends’, hopefully parents, who can send it to the toy. When the toy receives the message it’s little heart blinks. When the child squeezes the toy’s paw it plays the message. Another squeeze and the child’s message gets recorded and delivered to the friend. Cute.But like Kayla (Cayla) a real security, privacy and legal nightmare. CloudPets are joining an ever-growing set of internet of things (IoT) that get personal information, much of it personally identifiable information (PII) and even sometimes Personal Health Information (PHI). Worse CloudPets, Kayla, Hello Barbie, and VTech collected information about children and sometimes lost it. VTech breach lost the records of a reported five million people.Like some of the other toys CloudPets recorded children’s voices. The data was stored in an audio file on the web. Worse, the system used to store the kids’ information was a DBMS, Mongo DB that was in a publicly facing network segment without any authentication required. The database had been indexed with the search engine Shodan. There are simple queries that anyone can run via search engines like Shodan that will point to all of the open MongoDB databases out there at any given time. The amount of information exposed was 821,296 records of registered users including passwords and 2,182,337 voice recordings!Obviously the IoT industry and especially the toy part of that industry has some way to go before they are able to make these things secure. But what are the legal consequences of Cloud pets? Not good. I will start with state consequences, in this case California. Then move on to US federal laws and finally discuss the EU GDPR jurisdiction in the next article.
In fact, the largest danger to CloudPets or any other firm has nothing to do with privacy laws. The real problem, at least for public companies, will be securities laws.A major breach will often trigger notifications to those affected. But what might most be affected will be the company’s stock. In August of 2016 the company responsible for CloudPets, Spiral Toys (STOY) had a market price of $0.85. By March 3 2017 it closed at $0.0035, a fall of 99%. So basically, the failure of CloudPets has meant the failure of Spiral Toys, although it must be admitted that Spiral Toys had many other severe problems. An investigation by the SEC would simply have made things worse.The jurisdiction of the SEC comes from the famous or infamous Rule 10b-5 (17 CFR 240.10b-5 Employment of manipulative and deceptive devices.) The rule makes it unlawful for any person or firm to make an untrue or fail to disclose a material fact. Certainly, a major breach or a known security flaw in a product is material. If the owner of the firm intentionally withheld this fact they could be subject to fines and sanctions from the SEC and for losses from private part who were damaged in the purchase and sale of the firm’s stock. Needless to say, these costs could be higher than many of the other damages.
Regulatory compliance for IT is never simple. Rather than a comprehensive system like the new EU GDPR, the US has laws that provide for specific regulations depending on what service or product you are providing and to whom. The penalties for violations of these regulations often are greater than anything a cyber thief could dream of. But you cannot stop with just the regulations concerning IT, health care or privacy. There regulatory environment is far greater than that and there are various agencies like the SEC whose bite is far worse than the FTCs. Remember it is not about compliance, it is about risk.