In June, the Federal Trade Commission (“FTC”) settled its first case brought against a social networking service under Section 5 of the FTC Act. In its complaint, the FTC claimed that Twitter misled users through certain statements on its website privacy policy. The FTC further alleged that Twitter failed to take reasonable steps to prevent unauthorized administrative control of its system, with the result that hackers gained administrative control of the service twice in the first half of 2009. Hackers reportedly used this control to reset passwords and send phony “tweets” from existing accounts, and may have accessed nonpublic user information. The agreement is for settlement purposes and does not constitute an admission of legal violations by Twitter.  

Among other specific concerns, the FTC claimed that Twitter did not take steps to preserve the security of administrative passwords by:  

  • Requiring the use of hard-to-guess administrative passwords;  
  • Prohibiting employees from storing administrative passwords in
  • plain text in personal email accounts;  
  • Suspending or disabling administrative passwords after
  • unsuccessful login attempts;  
  • Providing a non-public administrative login page;  
  • Enforcing periodic updates of administrative passwords; and  
  • Restricting employee access to administrative controls.  

The case places companies on notice that the FTC may expect companies to include such elements in their security practices.  

Similar to prior data security cases, the consent agreement will be in effect for 20 years. Among other provisions, it requires Twitter to establish a comprehensive information security program that includes a designated accountable employee, assessment of foreseeable material risks, design and implementation of reasonable safeguards, regular testing and monitoring, reasonable steps regarding service providers, and ongoing evaluation and adjustment of the program. Twitter must also obtain biennial independent security assessments of its security program for the next 10 years