Twitter has settled charges brought by the Federal Trade Commission that it deceived consumers by failing to protect their personal information. As part of the settlement, the microblogging site will set up an independently audited security program.
The FTC said Thursday that thanks to loose security, Twitter allowed hackers in 2009 to view Tweets users designated private and gain access to the accounts of then-President-elect Barack Obama and Fox News, among others.
Under the terms of the settlement, which the FTC unanimously approved, the San Francisco company will be barred for 20 years from misleading consumers about the extent to which it "maintains and protects the security, privacy, confidentiality or integrity of any nonpublic consumer information." This includes the ways the company safeguards authorized access and privacy choices. A third party will also assess the company's information security program every other year for 10 years.
"When a company promises consumers that their personal information is secure, it must live up to that promise," said David Vladeck, director of the FTC's Bureau of Consumer Protection in a statement. "Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations."
In January 2009, a hacker sent a tweet from the account of then-President-elect Obama, offering his more than 150,000 followers a chance to win $500 in free gasoline. At least one other bogus tweet was sent from the account of Fox News.
In a statement on its company blog, Twitter said a total of 55 accounts were attacked between January and April, at a time when it had fewer than 50 employees. The company since has sewn up security holes, notified users and publicly acknowledged the incidents in blog postings, it said.
"Even before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices," Twitter general counsel Alexander Macgillivray wrote.
The case was the FTC's 30th over poor data security, but the first against a social networking service.
Data privacy law specialist Paul Bond of Reed Smith told Legal Times the case against Twitter is the FTC's attempt to "codify laws and regulations that don't otherwise exist on the books," he said. "The FTC's complaint did not point to any law that says ‘Thou shalt use strong passwords.'"
He said: "Without passing any law or regulation, the FTC is putting all American companies on notice that it expects password protection programs to be put in place."
Twitter said in a statement that also referenced security lapses at Google: "We think [the FTC] saw it as an opportunity to make an example of us in the hopes of curtailing breaches — including those many more serious than ours — in our industry."