Today, Twitter and the Federal Trade Commission settled charges that the micro-blogging site had engaged in unfair and deceptive trade practices because of “serious lapses in the company’s data security.” The FTC began an investigation into Twitter after hackers obtained administrative control of the service, accessed tweets that consumers had designated private, and sent out phony tweets (from then-Presidential candidate Barack Obama, Fox News, and others).

In its complaint, the FTC alleged that Twitter was vulnerable to these attacks because it failed to take certain reasonable steps to prevent unauthorized administrative control of its system. Those steps included:

  • Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks
  • Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts
  • Suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts
  • Providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users
  • Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days
  • Restricting access to administrative controls to employees whose jobs required it
  • Imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses

Under the settlement, the FTC will require Twitter to set up a new security program to be assessed by a third party. It will also be prohibited from what the agency described as “misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers.”

According to the FTC, this marks the 30th case brought as a result of lax security procedures, and the first against a social network.

Why This Matters:  As we have known for some time now, privacy is a hot-button issue at the FTC. To avoid an FTC investigation, you must consider whether your current privacy practices live up to both: (1) what the Commission considers “standard, reasonable” security procedures; and (2) your own privacy policy, which operates as a set of promises to consumers who use your service/patronize your business. If your security procedures fall short of either mark (or worse, both), the FTC could come calling. This then begs the question, when was the last time you audited your security and privacy procedures?