The U.S. Federal Trade Commission (FTC) is proving how seriously it is taking concerns over consumer privacy by making Twitter create an independently audited information security program.
The FTC and Twitter came to a settlement yesterday on charges that the social-networking site “deceived consumers and put their privacy at risk.”
This was in response to significant lapses in Twitter’s data security that allowed hackers on two separate occasions in 2009 to take control of accounts including those of then President-elect Barack Obama, Fox News and Britney Spears. This was the 30th case the FTC has filed targeting faulty data security but the first one ever filed against a social-networking service.
The settlement includes a 20-year ban on Twitter from “misleading consumers about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by a third party every other year for 10 years.”
Steve Rubel, senior VP-director of insights for Edelman Digital, said the ruling further proves the FTC is serious about monitoring social media. “The FTC is watching key social networks to make sure they can be trusted, and that’s a further sign that this administration may not be afraid to regulate certain channels,” he said.
In a statement, David Vladeck, director of the FTC’s Bureau of Consumer Protection, said any company promising consumers protection of their personal information must live up to that promise.
“Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations,” Vladeck said. “Consumers who use social-networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure.”
Rubel said this will force Twitter to “grow up a lot faster” than it was probably prepared to. “They are going to have to endure more cost and regulation than they did before,” he said. “But the government wants to maintain the integrity of that service for the benefit of consumers, which is a good thing in the long run.”
The FTC went on to list the “reasonable steps” Twitter failed to implement that could have prevented hackers from accessing the accounts. These steps included: requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites or networks; prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts; enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days; and suspending or disabling administrative passwords after a reasonable number of unsuccessful log-in attempts.
After the settlement, Twitter posted a statement on its blog from its general counsel, Alexander Macgillivray. “We’ve reached an agreement that resolves [the FTC’s] concerns. Even before the agreement, we’d implemented many of the FTC’s suggestions, and the agreement formalizes our commitment to those security practices.”
