July 2010 : Privacy Lessons: A Twitter Tutorial
by Joseph Sanscrainte, an attorney specializing in telemarketing law..
The lifeblood of the telemarketing industry is information - names, phone numbers, credit cards and other billing info, physical and email addresses, even social security numbers - all of these are collected by telemarketers as part of standard business practices. As an attorney in the telemarketing space, I spend the majority of my time working with clients on "telemarketer-specific" rules and regulations, like commercial registration, do-not-call, and billing and identification disclosure rules. However, I would be remiss if I didn?t, at least once in a while, bring up the importance of maintaining security over all personal information collected from consumers.
Luckily, the FTC does most of my work for me. On June 24, 2010, the FTC issued the terms of a tentative settlement it had reached with Twitter regarding some very serious breaches of security. At issue was the disparity between promises made by Twitter regarding its security protocols and the reality of its day-to-day business practices. Twitter stated, on its website:
- Twitter is very concerned about safeguarding the confidentiality
of your personally identifiable information. We employ administrative,
physical, and electronic measures designed to protect your information
from unauthorized access.
Sounds good, right? Being "very concerned" and employing adminstrative, physical, and electronic measures all sound like what any company should be doing to protect private information. The problem is, the FTC expects companies to actually abide by the promises they make regarding safeguarding of private information. According to the FTC, Twitter failed to do this - in particular, Twitter failed to: establish or enforce policies sufficient to make administrative passwords hard to guess; establish policies sufficient to prohibit storage of administrative passwords in plain text in personal email accounts; disable administrative passwords after a reasonable number of unsuccessful login attempts; enforce periodic changes of administrative passwords; and, restrict each person?s access to administrative controls according to the needs of that person?s job. As a result, intruders were able to obtain unauthorized administrative control of the Twitter system and gain unauthorized access to nonpublic tweets and nonpublic user information.
The bottom line for the FTC in its proposed settlement is that Twitter must immediately establish a "comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information. Such a program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent?s size and complexity, the nature and scope of respondent?s activities, and the sensitivity of the nonpublic consumer information."
The above means having employees who are tasked with coordinating Twitter?s privacy security program; conducting a risk assessment; conducting ongoing monitoring and testing of its program; and having an outside, third-party audit completed at least every two years.
The second lesson is that sometimes it?s the most obvious things that need to be addressed. Twitter used a common word as its password to gain administrative rights over its website, and did not prevent an intruder from attempting to log-in thousands of times in its attempt to identify this common word. Using a more complex password, i.e. one containing a combination of letters and numbers, and preventing multiple log-in attempts, would have saved Twitter an enormous amount of time, money, and bad publicity.
The final lesson to be learned is that the FTC takes security of private information very seriously. Should Twitter violate the terms of any final settlement with the FTC, it will be subject to a penalty of $16,000 for each such violation. In the realm of electronic data, I think we all know how many "violations" are possible for even a small breakdown of security protocols. Twitter has to live with this regulatory sword of Damocles hanging over them for the next 20 years - it might be worthwhile for other companies to at least make a reasonable effort to avoid a similar fate.