Alert June 28, 2010

Twitter and FTC Settle Data Security Charges; Companies With Privacy and Data Security Offerings Attract Venture Capital Funding

The Federal Trade Commission (“FTC”) recently announced that it had settled charges with Twitter over the FTC’s claims that Twitter failed to protect consumers’ personal information.  The FTC had alleged that lapses in Twitter’s data security had permitted hackers to obtain administrative control of Twitter, enabling them to obtain access to “tweets” that consumers had designated as private and allowing them to send out phony tweets – brief messages of 140 characters or less. According to the FTC complaint, the hackers were able to view nonpublic user information, gain access to direct messages and protected tweets, reset users’ passwords and send “authorized” tweets from users’ accounts.

The FTC claimed that Twitter was vulnerable to the hackers’ attacks because it failed to take reasonable steps to prevent unauthorized administrative control of its system, even though its privacy policy stated: “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.” Specifically, the FTC claimed that Twitter failed to:

  • Require employees to use hard-to-guess administrative passwords not used for other programs, websites or networks
  • Prohibit employees from storing administrative passwords in plain text within their personal email accounts
  • Suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts
  • Provide an administrative login webpage made known only to authorized persons and separate from the login page for users
  • Enforce periodic changes of administrative passwords by, for example, setting them to expire every 90 days
  • Restrict access to administrative controls to employees whose jobs required it
  • Impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses

To settle the charges, Twitter has agreed to comply with a rigid information security program for an extended period of time.  Specifically, under the terms of the settlement, for a period of 20 years, Twitter will be barred from misleading consumers about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by a third party every other year for 10 years.

Implications 

The Twitter case, the 30th that the FTC has brought against a company for insufficient data security practices and the first of such cases brought against a social networking site, shows that the FTC is continuing to take data security issues seriously. Companies concerned about the sufficiency of their data security program should, in addition to verifying their compliance with applicable law and contractual requirements, focus on the areas of deficiency identified by the FTC with respect to Twitter’s information security when evaluating their own practices.

Industry Outlook

The Twitter case comes at a time when both private industry and regulators are placing significant emphasis on privacy and data security issues.  Recently, the FTC held a series of privacy workshops and has been analyzing whether additional laws and regulations are necessary to protect the privacy and security of consumer information. On June 21,  the FTC drew a lot of attention when a senior attorney in its consumer protection bureau claimed at a conference that U.S. privacy laws fail to protect American consumers and place too much of a burden on consumers.1 These events and comments suggest to some that further regulation may be on the near horizon.

Meanwhile, business opportunities in privacy and data security continue to grow.  As privacy debacles and data security breaches grip public attention, companies that protect privacy and data security are increasingly drawing the attention of venture capitalists. A recent Wall Street Journal article highlighted this significant trend, discussing how venture capitalists have funded privacy start-ups like ReputationDefender, SafetyWeb, SocialShield and Albine.2 These investments suggest that the increased regulatory emphasis on privacy and data security is driving increased demand for tools that enable organizations to fulfill their compliance obligations.