For weeks, Snapchat has been under heightened scrutiny after an unauthorized leak exposed the usernames and phone numbers of millions of people. The L.A.-based start-up's response drew heavy criticism; it took a week for Snapchat to acknowledge that anything had happened. Another week went by before it released an app update and issued a vague apology for "any problems this issue may have caused." Independent researchers are still pointing out holes in the app's security.
Now, a review of California's privacy law suggests that Snapchat was extremely fortunate in this whole episode.
Many security experts consider the Golden State's 2003 law the baseline when it comes to data breach regulation. Other jurisdictions have their own versions, but California's is generally held up as the model, as it was the first of them to take effect. The statute, S.B. 1386, requires businesses to tell customers about a hack if it exposes personal information such as medical records, financial account data or Social Security numbers.
Until recently, that was the only information that qualified. But an update to the law that took effect Jan. 1 expands the definition of personal information to include usernames, passwords and the security questions (and answers) that are routinely used to recover them. The additional provision covers Snapchat in a way that should leave its executives feeling relieved.
In dealing with the Gibson Security hack, Snapchat got lucky in two ways. The first was that Snapchat narrowly missed having to obey the strengthened regulation. The attack took place over Christmas; if the hackers had simply waited another week, the start-up would have been subject to the new rules, and the leaked usernames previously ignored by the law would suddenly become legally relevant.
Second, according to a spokesman for Ellen Corbett, the state senator who authored the revisions, the amended law's notification requirements are only triggered if both usernames and passwords are leaked. Because the Gibson Security hackers only compromised usernames and phone numbers, the company wouldn't have set off the notification requirement under either version of the law.
That's fortunate for Snapchat, because the company's disclosures wouldn't have measured up to the law's requirements. S.B. 1386 demands that businesses notify their customers of a hack "in the most expedient time possible." The notification should disclose what happened, when the attack occurred and what the company is doing about it, among other things. While Snapchat isn't bound by these requirements, it would have been a good idea for the company to follow them anyway. Users deserve to know when their private data is compromised.
A Snapchat representative did not return a request for comment for this story.