It has been an interesting year in student privacy. It has been a very interesting year for me as I navigate a new school system with apps and integrated student portals I did not have access to before. But nothing can compare to the recent data breaches in the toy industry. So in this season of gift giving, all I want for the kids is some privacy……
It is easy to begin to condemn the different companies that were breached recently such as V-Tech, Barbie and now Hello Kitty, not only because of the size of the breach, but also because of who these breaches affected. The data breaches appeared to have affected a very large number of people – close to 5 million, if not more. When we think of data breaches we think of name, address, credit card info, birthdate etc. being breached, in some cases we disclose deeply personal information to companies such as healthcare information. But what makes it more problematic to me is that minors’ information is now in the hands of hackers that can take a child’s information and run with it.
But the privacy discussion has to be broader than being appalled at the lack of security surrounding children’s data. Once the breach happened with children’s information we can’t help but shift the conversation to discuss not only how this breach happened but what could be done to protect this information. For starters, children’s accounts were linked to their parents’ accounts. Why wouldn’t these companies silo the data sets so that if hackers wanted credit card information they would not be able to immediately link to children? I also read that the data was encrypted with antiquated systems at best. Now, I am not a data encryption expert but when it comes to personal data (in particular children’s) we should be thinking of encryption as a necessity in which corners cannot be cut, not ever. Data at rest encryption anyone?
Further, hacking children’s data takes it to a different level of concern. Most of these toys collect personal preferences from the kids playing with them. It is not only name and address that is collected but patterns, behaviors, reactions to the toy. So if a hacker has access to this information they could have a detailed picture of a family’s routines and a child’s interests etc.
So what do we do? I believe we need to reexamine how the data is collected and stored. If parent and child accounts are linked, then you literally have offered the keys to the kingdom to anyone hacking into the system. Toy companies in particular must have adequate encryption and security standards surrounding their customers’ information. Don’t forget these customers are children, little human beings. More importantly, we need to ask what data does a toy really need to work, and if the data collected makes us uneasy in the slightest way, well, maybe we shouldn’t be collecting that information for a child to play with a toy.
Finally, I think we all need to be conscious that we don’t collect (or provide) so much data from children that they turn into data entities void of any human connection. I have spoken to app and software developers and in the midst of their excitement they tend to forget who their end users are. When it comes to toys or apps geared to the under 18 crowd, we must remember that there is a little person at the other end utilizing and providing personal information in order to be entertained, engaged and challenged in their play and development. We are responsible for ensuring only the necessary data is collected, if at all. We are responsible for protecting the data collected from children. We must ensure that not only is data safe but that children are safe in case of a breach. We owe them that gift for the holidays.