Sunday, June 27, 2010

Twitter Settles Charges that it Failed to Protect Consumers' Personal Information

It is just not information security professionals like me complaining about privacy issues on social networking sites, others are taking a hard look at this as well including the US Federal Trade Commission (FTC). I reported in an earlier post that US Senators send a letter to Facebook, now FTC gets involved in a complaint against Twitter.

FTC issues an administrative complaint when it has "reason to believe" that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. FTC employs the FTC Act to impose sanctions on firms that exhibit unfair or deceptive practices, such practices that they feel would likely result in the disclosure of personal information.

There has been many similar complaints in the past but this is the first case against a social networking service.

According to the FTC's press release, Twitter has agreed to settle FTC charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information. According their complaint,  some of the breaches on Twitter system were possible due to a failure to implement reasonable safeguards. The complaint originated from some of the high profile breaches including that of Barack Obama before he became the President.

According to FTC, Twitter failed to implement some of the following safeguards:


* requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites or networks; 
* prohibiting employees from storing administrative passwords in plain text within their personal email accounts; 
* suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts; 
* providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users; 
* enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days; 
* restricting access to administrative controls to employees whose jobs required it; and 
* imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses. 

As part of the settlement, Twitter is required to implement a variety of data security safeguards including "a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years".

The main document of FTC complaint is here 

Some of safeguards mentioned even though highly important, these are very hard to implement for many small businesses. FTC has some strong words for organizations in what they claim they do in terms of securing consumer information.

"When a company promises consumers that their personal information is secure, it must live up to that promise,"

I touched the topic of do we really need more regulations in the privacy area, here. For many organizations, there is no incentive to spending money on security related activities, this is where the value of regulations comes in. Data privacy regulations require organizations to invest in a minimum level of security controls. Such minimum level of security controls reduce the probability of a data breach and resulting harm.

Even though many of the US and other countries privacy laws mandate only "reasonable" or minimum security, for many businesses that is not enough. While discussing the new Massachusetts privacy law I commented this:

"organizations should look at this and other regulatory requirements as "minimum standards" and look upon setting up a higher level for themselves. Remember that Compliance != Security"

The key takeaway is that organizations must take a hard look at their privacy policies and implement the specified controls to safeguard customer information. Information security practitioners should convey this to their business and technology leaders and implement such protection mechanisms or face sanctions.

2 comments:

Anonymous said...

Nice analysis. Many organizations are still in the infancy period, such sanctions will give the program a boost.

Anonymous said...

Thanks for sharing this, your analysis is spot on.

I used this as awareness material and sent it to our senior management.