The Washington Post reports that 13GB of "snaps" (Snapchat photos) have been leaked online on the hacker forum 4chan. A flaw in a third-party app that lets users save the otherwise temporary messages reportedly caused the security breach.
Snapchat messages are supposed to disappear within ten seconds, but third-party programs like Snapsave and Snapsaved.com can run alongside Snapchat, allowing users to save their snaps before they disappear. These apps are not affiliated with Snapchat, which claims it shouldn't be held responsible for the data breach because the hack targeted non-approved third-party apps.
Is Snapchat liable for another company's data breach? It's hard to tell. The liability issues surrounding this data breach are extremely complicated. Before we get into questions of mobile developer liability, let's review the basic facts in the case:
- Leaks came from a third-party app, not Snapchat.
- One of the third-party apps that might have been hacked is currently out-of-business, which means users won't be able to sue it for damages.
- About half of all Snapchat users are underage, which means that many of the 200,000 leaked images were of underage users.
- Regardless of whether Snapchat is found to be at fault, its brand has been damaged.
Snap Judgments: Third-Party App Liability and Snapchat's Past Legal Trouble
Here's the thing: Snapchat has already faced scrutiny from government regulators for its willful ignorance of the way third-party apps expose its users' security.
In March, the Federal Trade Commission handled a complaint against Snapchat. The complaint argued that the messaging service was well aware that third-party apps could save "snaps." The complaint pointed out that Snapchat had consulted with security experts about this problem, but still continued to advertise its service as "secure" and claim its messages were "ephemeral." To put it bluntly, the FTC accused Snapchat of burying its head in the sand.
The FTC settled its case with Snapchat, forcing the company to agree to 20 years of government oversight of its security practices. In addition, Snapchat has had to change its marketing strategies and is no longer allowed to advertise that user messages are secure and temporary.
It's worth pointing out that Snapchat's dispute with the FTC wasn't over a data breach. It was about the way the app was marketed as "secure." The FTC has announced on its website that mobile developers need to substantiate all security-related claims. If you say your app is secure, it really needs to be secure. If your program can be hijacked by common third-party apps, you could still be held responsible.
Takeaways from the Snapchat Data Breach
If you're a mobile developer or IT professional, you're probably wondering what your can learn from Snapchat's data breach. Focus on these three things:
- IT and developer liability is constantly evolving. As happens so often with IT liability, courts and regulators are still figuring out who should be liable for data security. How do you cover constantly changing data risks? E&O Insurance can pay for IT and developer lawsuits even as laws and technology change at breakneck speeds.
- You can't bury your head in the sand when it comes to third-party liabilities. Developers can't ignore the way third-party apps use their programs. For instance, if you sign a contract with an advertising company that tracks your user data, you're responsible for informing users that their data is being shared with a third party.
- Your liabilities include how you market apps. The FTC announced it is going after app makers that misrepresent the security of their programs. If developers market their apps as secure, but can't truly back it up, they could face a significant penalty from the FTC.
To learn more about developer liability, make sure you check out our sample insurance quotes for mobile developers.