A Deep Dive into Privacy/Security Disclosures in Snap’s S-1

by Mintz Levin - Privacy & Security Matters
Contact

[co-author:

Last week, Snap Inc. (“Snap” or the “Company”) – the parent company of the wildly popular app Snapchat (“Snapchat” or the “App”) – became a publicly traded company on the New York Stock Exchange in the biggest tech IPO since Alibaba in 2014.  Priced at $17 per share, the Snap stock opened at $24 per share on Thursday morning and closed at $24.48 per share, bringing the Company’s market capitalization to approximately $28 billion. In today’s post, we’re taking a closer look at Snap’s S-1 filing (“Snap S-1”) with the U.S. Securities and Exchange Commission (SEC) with a particular focus on the Company’s disclosures of risk factors associated with cybersecurity and privacy risks. 

Background

Since launching in 2012, Snapchat has earned a spot among the most popular social media apps for iOS and Android devices, logging millions of daily users and constantly evolving to accommodate its growing base.  Snapchat has skyrocketed in popularity in recent years by allowing users to send their friends ephemeral photo and video messages that disappear seconds after opening. According to the Snap S-1, Snapchat had “158 million Daily Active Users on average in the quarter ended December 31, 2016”, with the majority of users being between 18 and 34 years old.  In contrast to other major social media platforms like Facebook and Twitter (and texting, for that matter), Snapchat doesn’t create a permanent, visible log of your posts and interactions with friends. Rather, the App compares its services to the nature of our everyday in-person conversations – once that moment is shared in a given context, it’s over and gone. Snapchat allows users to shoot their friends a quick “snapshot” of a moment in their lives without inscribing them into a digital timeline that can be scrolled through, re-read, or shared publicly. This makes users more comfortable sharing things with their friends that they might not normally post online, or even send in a text or email.  With all that being said, Snapchat does collect a good amount of information about its users. As described in Snapchat’s privacy policy, in addition to collecting a user’s unique username,  password, email address, phone number, and date of birth, and any information a user sends through the App (e.g., snaps and chats), the App also collects usage information (in other words, it knows to whom a user sends snaps, how frequently a user does so, and if a user consent to sharing her geographic data, the location from where the snaps are sent), content information (including metadata), and device information (including, with consent, device phone book information).

An app that lets users communicate without a trace: what could possibly go wrong? As it turns out, quite a bit. As the popularity of the mobile application grew, so too did concerns regarding its data security practices and its ability to deliver on the promises made to its users. Snapchat was accused of misleading its users when it was revealed that the images and videos that allegedly “disappear forever” were actually being stored on company servers, and that a number of other features of the app (such as screenshot detection) were not as reliable or secured as originally represented. The App was hacked in 2014, resulting in the exposure of consumer data from 4.6 million accounts. Following a major FTC investigation and settlement,  Snap was required, among other things, to implement a comprehensive privacy program and submit to monitoring for a period of 20 years.  Following a subsequent settlement with the Maryland’s Attorney General a month later, Snap was required, among other things, to comply with the Children’s Online Privacy Protection Act (“COPPA”) and, for a period of 10 years, to take specific steps to ensure children under the age of 13 are not creating Snapchat accounts. Both of these settlements are described as part of the risk factors in the Snap S-1.

Snap S-1 Cybersecurity and Privacy Risk Factors

As expected, the cybersecurity and privacy-related risk factors listed in the Snap S-1 are in line with the SEC’s 2011 guidance regarding disclosure obligations relating to cybersecurity risks and cyber incidents. Apart from the discussion of Snap’s 2014 settlements with the FTC and the Maryland Attorney General, as you can see by looking at the risk factors we reproduced below, the disclosures are rather generic. Snap generally describes the various privacy and security risks the Company is facing as a result of its business model and emphasizes the direct and secondary consequences and risks associated with security and privacy breaches, which could apply to any similar social media platform:

  •  “If our security is compromised or if our platform is subjected to attacks that frustrate or thwart our users’ ability to access our products and services altogether, which could seriously harm our business”.  
  •  “Mobile malware, viruses, hacking and phishing attacks, spamming, and improper or illegal use of Snapchat could seriously harm our business and reputation.
  • “Because we store, process, and use data, some of which contains personal information, we are subject to complex and evolving federal, state, and foreign laws and regulations regarding privacy, data protection, and other matters. Many of these laws and regulations are subject to change and uncertain interpretation, and could result in investigations, claims, changes to our business practices, increased cost of operations, and declines in user growth, retention, or engagement, any of which could seriously harm our business”.
  • “We may be subject to regulatory investigations and proceedings in the future, which could cause us to incur substantial costs or require us to change our business practices in a way that could seriously harm our business”. 
  • “We may face lawsuits or incur liability based on information retrieved from or transmitted over the internet and then posted to Snapchat. We have faced, currently face, and will continue to face claims relating to information that is published or made available on Snapchat. In particular, the nature of our business exposes us to claims related to defamation, intellectual property rights, rights of publicity and privacy, and personal injury torts”. 
  • “We plan to continue expanding our operations abroad where we have limited operating experience and may be subject to increased business and economic risks that could seriously harm our business…. In addition, we are subject to a variety of risks inherent in doing business internationally, including…risks related to the legal and regulatory environment in foreign jurisdictions, including with respect to privacy, and unexpected changes in laws, regulatory requirements, and enforcement.” 

One rather unusual risk factor listed in the Snap S-1 is that Snap relies on Google Cloud “for the vast majority of [its] computing, storage, bandwidth, and other services” and that “any disruption of or interference with [its] use of the Google Cloud operation would negatively affect [its] operations and seriously harm [its] business”. While the practice of using a third party’s technology infrastructure to host and operate an online platform is certainly not novel, and in fact, increasingly common for Internet businesses, Snap’s disclosure emphasizes the increased risk not just to the operation and continuity of Snap’s business but also to the security of the Snap data shared with and stored by the service provider. From a business continuity risk perspective, Snap disclosed the risk of having architected its product and computer systems “to use computing, storage capabilities, bandwidth, and other services provided by Google, some of which do not have an alternative in the market” and that it has committed to spend $2 billion with Google Cloud over the next five years. As a somewhat secondary risk, Snap mentioned that because Google’s services are restricted in China, it is uncertain whether Snap “will be able to enter the market in a manner acceptable to the Chinese government.”   Although Snap did not specifically focus on privacy and security when discussing the risks of using Google Cloud, as a part of the general discussion of the various risks to the security of Snap user information, Snap mentioned the risk of improper disclosure and access to such information when stored by the Company’s third party partners and advertisers, even when such third parties implement adequate security measures and comply with Snap terms and policies.

In addition to discussing the various cybersecurity and privacy related risks stemming from its business model, like its competitors, Snap also lists the following effects of security and privacy breaches on the Company and its business:

  • “There are many factors that could negatively affect user retention, growth, and engagement, including if….there are concerns about the privacy implications, safety, or security of our products.”
  • “Our financial condition and results of operations in any given quarter can be influenced by numerous factors, many of which we are unable to predict or are outside of our control, including….system failures or breaches of security or privacy….or changes in the legislative or regulatory environment, including with respect to privacy, or enforcement by government regulators, including fines, orders, or consent decrees.”
  • “Unfavorable publicity regarding us, for example, our privacy practices, product changes, product quality, litigation, or regulatory activity, or regarding the actions of our partners or our users, could seriously harm our reputation.”

What does going public mean for Snap from a cybersecurity and privacy perspective?

As a public company, Snap will be subject to extensive public filing and disclosure requirements, including, to the extent material, security and privacy.  As noted in the Snap S-1, “by disclosing information in this prospectus and in filings required of a public company, our business and financial condition will become more visible, which we believe may result in threatened or actual litigation, including by competitors and other third parties.” Snap will also now have shareholders to answer to. In the coming months, we (along with the SEC, FTC and other regulators) will certainly be keeping an eye on Snap to observe how it will uphold its commitment to consumer data privacy and keeping its services safe and secure for users across the globe.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz Levin - Privacy & Security Matters | Attorney Advertising

Written by:

Mintz Levin - Privacy & Security Matters
Contact
more
less

Mintz Levin - Privacy & Security Matters on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.