Privacy & Cybersecurity Law Blog

On March 11, 2011, the Federal Trade Commission finalized a proposed settlement with Twitter, which resolved allegations that Twitter deceived consumers and failed to safeguard their personal information. The FTC first announced the proposed settlement in June 2010. Specifically, the FTC claimed that Twitter, contrary to its privacy policy statements, did not provide reasonable and appropriate security to prevent unauthorized access to consumers’ personal information and did not honor the consumers’ privacy choices in designating certain tweets as nonpublic. Intruders exploited these failures and obtained administrative control of the Twitter system. These intruders were able to gain unauthorized access to nonpublic tweets and user information, reset any user’s password, and send unauthorized tweets from any user account.

Under the terms of the settlement, Twitter must implement a comprehensive information security program that is reasonably designed to protect the privacy and security of nonpublic consumer information, and it is prohibited from misrepresenting the extent to which it protects such information. An independent auditor must conduct biennial assessments for 10 years to determine whether Twitter’s information security program adequately protects consumer information as required by the settlement. Twitter is further required to make available to the FTC any privacy policy statements, consumer complaints, subpoenas and other documents that relate to Twitter’s activities in the FTC complaint or Twitter’s compliance in the settlement. Finally, Twitter must file a report describing its compliance with the settlement and alert the FTC to any change in the corporation that may affect its compliance obligations. Any violation of the FTC order, which is in effect for 20 years, may result in a civil penalty of up to $16,000. The order is in effect for 20 years.