Snapchat came this close to triggering California’s new, stricter data breach law

Snapchat has been under heightened scrutiny after an unauthorized leak exposed the usernames and phone numbers of millions of people. Independent researchers are still pointing out holes in the app's security. Now, a review of California's privacy law suggests that Snapchat was extremely fortunate in this whole episode.

An update to the law that took effect Jan 1 expands the definition of personal information to include usernames, passwords and the security questions (and answers) that are routinely used to recover them. The additional provision covers Snapchat in a way that should leave its executives feeling relieved. In dealing with the Gibson Security hack, Snapchat got lucky in two ways. The first was that Snapchat narrowly missed having to obey the strengthened regulation. The attack took place over Christmas; if the hackers had simply waited another week, the start-up would have been subject to the new rules, and the leaked usernames previously ignored by the law would suddenly become legally relevant. Second, according to a spokesman for Ellen Corbett, the state senator who authored the revisions, the amended law's notification requirements are only triggered if both usernames and passwords are leaked. Because the Gibson Security hackers only compromised usernames and phone numbers, the company wouldn't have set off the notification requirement under either version of the law.