FTC Reaches a Settlement With Twitter Regarding Privacy Breaches

14 March 2011 Publication

Legal News Alert: Privacy, Security & Information Management

On March 11, 2011, the FTC announced that it had reached a settlement with the social networking site Twitter regarding privacy failures on the site to adequately safeguard user information, which led to two high-profile hacker attacks in 2009. This FTC settlement is significant, because it demonstrates that the FTC’s concern regarding the protection of personal information is not limited to consumer financial information and identity theft. In addition, the settlement is another example that the FTC will hold companies accountable for failures in upholding their representations regarding their security practices.

The FTC alleged that Twitter deceived consumers and put their privacy at risk when hackers, on two separate occasions, were able to gain unauthorized, administrative access to Twitter accounts in 2009. In January 2009, a hacker used an automated password-guessing tool to gain administrative control of Twitter. Twitter’s system did not have a safeguard in place to automatically lock users from accessing the site if they failed to guess the correct password after a certain number of times. Therefore, the hacker was able to submit thousands of guesses for the password, which was a common dictionary word (“happiness”), before gaining access. Once the hacker was able to access Twitter’s administrative account, he accessed non-public user information, such as e-mail addresses and mobile phone numbers. In addition, the hacker was able to re-set the passwords of some high-profile tweeters, such as President Obama and CNN host Rick Sanchez, and sent phony tweets from those accounts. Approximately 45 high-profile accounts were compromised.

In April 2009, another hacker was able to gain administrative access to a Twitter employee’s e-mail account. The e-mail account stored the employee’s Twitter administrative password in plain text. Once in the administrative account, the hacker was able to reset at least one Twitter user’s password and could access private user information and tweets from any Twitter user. This second breach involved 10 user accounts.    

Twitter’s privacy policy stated, “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.” The FTC alleged that, despite Twitter’s privacy statement, Twitter’s practices failed to deliver on its promise to its consumers that their personal information was indeed secure. Furthermore, Twitter failed to safeguard consumers’ personal information, and it violated consumers’ privacy because it did not take reasonable steps to prevent unauthorized administrative control of its system. The FTC claimed that Twitter did not take reasonable steps to require employees not to store password information in easily accessed places, not use easily decipherable passwords, and not suspend accounts after an unreasonable number of failed logins.

Under the settlement, Twitter is barred for 20 years from misrepresenting to consumers the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices of its consumers. Twitter also must establish and maintain a comprehensive information security program, which is designed to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information. Such information security program will be assessed by an independent third-party auditor every other year for the next 10 years. In addition, Twitter is required to maintain and report certain documentation regarding its privacy practices and policies. Each violation of the order may result in civil penalty of up to $16,000.

Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our clients and our colleagues. If you have any questions about this update or would like to discuss this topic further, please contact your Foley attorney or the following:

Julie Kim
Los Angeles, California

Andrew Serwin
Chair, Privacy, Security & Information Management Practice
San Diego, California