The Federal Trade Commission (FTC) has been at it again, settling on December 31, 2014 with Snapchat over privacy and data security concerns stemming from its text and video mobile messaging services. The settlement is instructive for gauging the FTC’s enforcement priorities and illustrates the steep costs a company can face when the FTC alleges the company has engaged in deceptive or unfair trade practices.
Snapchat Security Concerns and Breach
Snapchat is a mobile messaging service that sends a photo or video to someone that lasts, by default, up to 10 seconds (called a “snap”) before it disappears from the recipient’s device. Although ostensibly intended to promote privacy by establishing a limited lifetime for certain communications before automatic deletion, concerns around Snapchat’s services and data collection practices have been grabbing attention for quite some time. As early as May 2013, the Electronic Privacy Information Center (EPIC) filed a complaint with the FTC alleging that Snapchat misrepresented the disappearing nature of data sent via its application. EPIC alleged that, contrary to Snapchat’s public claims that all snaps were disappearing, snaps could be stored on a recipient’s device and remain accessible outside the application.
In December 2013, Gibson Security published details regarding vulnerabilities in Snapchat’s platform that could lead to a data breach. The following month, a group named “SnapchatDB” hacked Snapchat and downloaded the usernames and phone numbers of up to 4.6 million users. It then publicly posted a database of Snapchat user information for anyone to download, according to GovInfoSecurity and the Washington Post.
On December 31, 2014, the FTC approved a final settlement that, consistent with other recent FTC settlements involving data security and privacy issues: (1) prohibits misrepresentations about Snapchat’s efforts to secure the privacy, security, or confidentiality of user information and (2) requires Snapchat to implement a comprehensive privacy program that will be monitored by an independent privacy professional for two decades. The program must be in writing, the independent privacy professional’s biennial assessments must be delivered to the FTC’s enforcement division, and the FTC’s order, detailing all of its requirements, must be delivered throughout the company.The FTC Chairwoman commented: “If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keeps those promises…Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”
Though the settlement does not include a fine, the incident will certainly affect Snapchat’s bottom line and serves as a warning to other companies. First, the settlement (and other recent settlements) impose requirements that could be very costly. Second, a failure to comply with an FTC order could result in steep financial penalties. Finally, companies should not underestimate the public relations damage resulting from an FTC enforcement action alleging inadequate security and privacy controls. Indeed, Snapchat has been repeatedly and openly criticized for allegedly employing inadequate security measures and ignoring warnings of security vulnerabilities. Companies should take action to ensure their own privacy and security representations and controls are adequate and accurate to avoid similar enforcement actions.