The Federal Trade Commission (FTC) has settled with Twitter with respect to charges that during the first half of 2009 a hacker used an automated password-guessing tool to gain administrative control of Twitter, enabling the sending of phony tweets. Under the terms of the settlement, Twitter is barred for 20 years from misleading consumers about its efforts to protect the security, privacy and confidentiality of nonpublic consumer information, and Twitter must maintain a comprehensive information security program that will be assessed by an independent auditor over the course of ten years.
The complaint by the FTC against Twitter had charged significant data security lapses. In January 2009, a hacker allegedly used fraudulently reset passwords, posted them online, and thus enabled others to access and use them. Indeed, phony tweets were set from nine user accounts. One such tweet was sent from President-elect Obama, which offered $500 in free gasoline to his many Twitter followers. Yet another phony tweet was sent from the Fox News account.
The FTC came down on Twitter because the social networking site allegedly failed to prevent unauthorized administrative control of its system, including not following these "reasonable" steps: 1) requiring employees to use hard-to-guess administrative passwords that they did not use for other purposes; 2) prohibiting employees from storing administrative passwords in plain text within their personal email accounts; 3) suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts; 4) providing an administrative login web page that is made known only to authorized persons and is separate from login page for users; 5) enforcing periodic changes of administrative passwords; 6) restricting access to administrative controls to employees whose jobs require such access; and 7) imposing other reasonable restrictions on access, such as by restricting access to specified IP addresses.
While the FTC brought charges against Twitter, in truth, the settlement is not harsh. Twitter simply has had to promise that it will not mislead consumers going forward (something it should want to avoid irrespective of the settlement), and Twitter must maintain a comprehensive information security program (something that is in the interests of Twitter and its users independent of the settlement).
So, what are the takeaway lessons here?
First, social networking and other sites should be on notice that the FTC is awake and is paying attention; while the Twitter settlement is not onerous, the FTC has made an example of Twitter to let it be known that the FTC can and will come after others for potential privacy and security violations.
Second, when a site promises a certain level of privacy and security protection, it must follow through and deliver on that protection. Promises should not be made that cannot be kept.
Finally, companies will be measured against what is "reasonable" in the industry as far as privacy and security protection efforts. It is important to stay abreast of the most current and the best protection strategies and technologies.
Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP (http://www.duanemorris.com) where he focuses on litigation matters of various types, including information technology and intellectual property disputes. His Web site is http://www.sinrodlaw.com and he can be reached at firstname.lastname@example.org. To receive a weekly email link to Mr. Sinrod's columns, please send an email to him with Subscribe in the Subject line. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.