Twitter Agrees to Settle FTC Privacy and Security Charges

This posting was written by Cheryl Beise, Editor of CCH Guide to Computer Law.

Micro-blogging service Twitter has agreed to settle Federal Trade Commission charges that it “deceived consumers” about its privacy practices and failed to implement reasonable security measures to safeguard user information.

The Commission issued a complaint yesterday, alleging that Twitter violated Section 5 of the FTC Act by engaging in a number of practices that, taken together, failed to provide reasonable and appropriate security to prevent unauthorized access to nonpublic user information and honor the privacy choices exercised by such users. A proposed FTC consent order, resolving the allegations, was released at the same time.

Between January and May 2009, hackers twice exploited Twitter’s lax and ineffective security measures to obtain unauthorized administrative control of the Twitter system, according to the agency. The hackers gained access to nonpublic user information and reset users’ passwords to send unauthorized tweets from users’ accounts, including one from President-elect Barack Obama and another from Fox News.

Under the terms of the proposed FTC consent order, Twitter has agreed to:

· refrain from misrepresenting its efforts to maintain and protect the security, privacy, confidentiality, or integrity of any nonpublic information;

· adopt and maintain comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information; and

· permit biennial assessments and reports from an independent third-party security professional.

“When a company promises consumers that their personal information is secure, it must live up to that promise,” said FTC Bureau of Consumer Protection Director David Vladeck. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations.”

Twitter Blog Post

A post on Twitter’s corporate blog described the 2009 hacking incidents, occurring at a time when the company had fewer than 50 employees, as small in scale and duration—over the course of a few hours, 45 accounts were accessed in January and in April, 10 accounts were accessed before the hacker was detected and shut down within minutes. The blog post noted that, prior to the FTC settlement, “we’d implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices.” No other privacy or security complaints have been brought against Twitter, according to Twitter General Counsel Alexander Macgillivray.

San Francisco-based Twitter was established in 2006 as a social networking website operating at Twitter.com that enables users to send “tweets,” SMS messages of up to 140 characters, to other users who sign up to “follow” them and receive updates via e-mail and mobile text messages. Today, Twitter has around two hundred employees and an estimated 75 million users worldwide.

First Data Security Case Against Social Network

The FTC noted in a press release that its action against Twitter was the first against a social networking service for faulty data security.

The complaint, consent order, and other documents in In the Matter of Twitter, Inc., FTC File No. 092 3093, are available here on the FTC's website. The documents are published at CCH Trade Regulation Reporter ¶16,469.

Further information regarding the CCH Trade Regulation Reporter appear here on the CCH Online Store.