Twitter example of the business costs of inadequate security

For the London Free Press - July 26, 2010 Read this on Canoe

Customers and regulators take a dim view of companies that don't safeguard private information

Twitter recently agreed to settle the Federal Trade Commission's charges that it deceived consumers and put their information at risk through inappropriate and inadequate privacy measures. The charges were that Twitter represented it keeps user information safe, but its actual security measures were not adequate to do that.

On two separate occasions hackers gained unauthorized administrative control of Twitter and access to non-public tweets and user information.

In the first security breach, a hacker used an automated password-guessing tool to access Twitter's administrative account.

In the second breach, a Twitter employee's e-mail account was compromised and his or her administrative password inferred from other passwords stored in the e-mail account.

If this had occurred in Canada, it would be regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA). The United States does not have equivalent privacy legislation.

The FTC approach in these situations is to charge the company with misleading advertising for not living up to its privacy policy.

The FTC charged Twitter with making representations regarding its privacy and security measures which were false and deceptive in violation of Section 5(a) of the Federal Trade Commission Act.

The terms of settlement include the following.

Twitter is barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of non-public consumer information.

This appears to be little more than a restatement of Section 5(a) of the Federal Trade Commission Act. However, including this in the terms of settlement provides the Federal Trade Commission with more tools for punishment in the event of a violation.

Twitter may be fined $16,000 per violation of the settlement agreement for the life of the agreement.

Twitter must establish a comprehensive information security program. The program is to include detailed risk assessment and safeguards based on that risk assessment.

The safeguards must be regularly tested and re-assessed as its operations and business change.

The security program will be assessed by an independent security auditor every other year for the next 10 years. Those reports must be provided to the FTC.

Twitter also must maintain certain records for the FTC, including any statements it makes regarding security and privacy, customer complaints relating to the FTC complaint and its responses, and any documents that suggest non-compliance with the settlement.

Whether it is the FTC taking action on misleading advertising grounds, the Canadian Privacy Commissioner taking action under PIPEDA, or simply customers becoming upset at security breaches, businesses can't afford security and privacy breaches.

The lesson is, it's far better to consider and deal with security and privacy issues on your own at the outset, then to have problems and face the wrath of regulators and customers alike.