Among other specific concerns, the FTC claimed that Twitter did not take steps to preserve the security of administrative passwords by:
- Requiring the use of hard-to-guess administrative passwords;
- Prohibiting employees from storing administrative passwords in
- plain text in personal email accounts;
- Suspending or disabling administrative passwords after
- unsuccessful login attempts;
- Providing a non-public administrative login page;
- Enforcing periodic updates of administrative passwords; and
- Restricting employee access to administrative controls.
The case places companies on notice that the FTC may expect companies to include such elements in their security practices.
Similar to prior data security cases, the consent agreement will be in effect for 20 years. Among other provisions, it requires Twitter to establish a comprehensive information security program that includes a designated accountable employee, assessment of foreseeable material risks, design and implementation of reasonable safeguards, regular testing and monitoring, reasonable steps regarding service providers, and ongoing evaluation and adjustment of the program. Twitter must also obtain biennial independent security assessments of its security program for the next 10 years