FTC Data Breach Action Against Twitter Settled

Published on 25 June 2010 by andrew in Blog, News

1

The Federal Trade Commission (FTC) announced on June 24 that Twitter is settling an action brought by the agency after hackers exploited lax information security protections at the site to gain administrative control and access private accounts and other personal information. The compromised information included e-mail addresses and tweets meant for individual recipients and followers only. Intruders were also able to send phony tweets from the accounts of then-President-elect Barack Obama and Fox News, among others.

The details of the 2009 data breaches and the security holes that enabled them are summarized in the FTC’s press release, which you can find here. The data breaches stemmed from two incidents. In the first one, an intruder used an automated password-guessing tool to enter an administrative password (a weak lower-case password consisting of a common dictionary term) on the site’s main login page. Using the password, the intruder reset several passwords and posted some of them on a website where they could be used by others. In the second incident, an intruder hacked a Twitter employee’s personal e-mail account and was able to derive an administrative password from similar passwords that were stored in plain-text. Twitter’s privacy policy at the relevant times used common boilerplate to describe its data security procedures:

“Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”

It is important to note that Twitter never guaranteed the security of its site. Indeed, tech lawyers like myself routinely warn clients again calling their sites “secure” and making similar unqualified assurances. A cynic might remark that “weasel language” like Twitter’s is designed to stimulate a cozy feeling in users without committing the site to any concrete obligations or precautions.

The FTC’s explanation of the charges against Twitter crystallizes its thinking and underlines the agency’s increasingly aggressive approach to regulating privacy and data security on the Internet and especially on social media sites:

“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, Director of the FTC’s Bureau of Consumer Protection. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure.

There seems to be little question here that Twitter screwed up. The FTC’s complaint recites a litany of data security lapses that have been no-no’s for at least three or four years in the wake of the FTC’s prosecution of TJX for its data breaches and the advent of the Payment Card Industry Data Security Standard (PCI DSS). These no-no’s include Twitter’s failure to:

* require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks;
* prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
* suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
* provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
* enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
* restrict access to administrative controls to employees whose jobs required it; and
* impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

Again, it’s hard to argue Twitter didn’t screw up. However, this case demonstrates beyond a shadow of a doubt that the FTC will nail you for failing to use generally accepted data security best practices regardless of how you characterize your security measures in your privacy policy. In other words, saying that there are risks beyond your control no longer provides a get out of jail free card. Before the TJX case, the FTC targeted its wrath at sites that explicitly promised better security than they delivered. Now, however, there is an absolute minimum standard of data security: according to the FTC, inviting users to submit information which they can designate as private without complying with best practices is inherently misleading and deceptive. Furthermore, FTC scrutiny is no longer confined to privacy policies and “advertising” or “marketing” messages; the wording of social media categories, designations and preferences, such as privacy preferences, is now fair game.

Under the settlement Twitter is prohibited from misleading consumers about its data security practices for 20 years and must implement a comprehensive information security program, which will be audited by the FTC every other year. The FTC and Twitter, in other words, will be best buddies for years to come.

Continue Reading

Data Security: Don’t Fall Behind the State of the Art

Published on 30 October 2009 by andrew in Blog

0

With everyone in Philly waiting with baited breath for Game 3 of the Amtrak Series, I’m going to eschew the normal in-depth commentary and hit you with a few quick odds and ends and practical lessons from the world of data security.

Data breaches impose huge costs on businesses in terms of investigation, remediation, fraud losses, notification of affected individuals, replacement of accounts and reputational and customer-relations damage. Given the resources and sophistication of foreign criminal syndicates and other fraudsters, some data breaches are probably unavoidable. However, in the unfortunate event of a breach, you do not want to be seen as having fallen too far behind the state of the art in information security protection, or you could face statutory or regulatory fines and negligence liability. The FTC busted TJX, which ended up paying millions of dollars in fines to the FTC and the states, because, among other things, they used WEP, an outdated wireless encryption standard. As previously described in this blog, Nevada’s data security law, Senate Bill 227 (which is potentially applicable to any business with Nevada customers), requires personal information stored on portable devices in motion or transmitted outside a business’ secure systems to be encrypted using technology approved by an “established standards setting body.”

And now, in the case of Shames-Yeakel v. Citizens Financial Bank, No. 07-C-5387 (N.D. Ill. Aug. 21, 2009), a federal district court in Illinois has denied Citizens Bank’s motion for summary judgment dismissing a data breach-related negligence claim where the bank allegedly had not moved promptly enough to implement multifactor authentication (i.e., secondary inputs beyond name and password, such as tokens, personal questions, etc.) to secure sensitive Internet transactions. (A 2005 regulatory guidance had criticized single-factor authentication, i.e., name and password alone, as being inadequate.)

There is a dialectic going on here: legislatures, regulators and courts are wary of imposing compliance requirements involving huge costs for new IT infrastructure at a time when the national unemployment rate is 9.8%. At the same time, given the mounting economic costs of data breaches, the public outcry over identity theft, and the connection between identity theft, organized crime and terrorism, legal and regulatory scrutiny of data security protections is increasing and will continue to do so. This dialectic was evident in Massachusetts this past August, when, at the urging of business groups, 201 CMR § 17.00, a highly prescriptive, technology-specific data security regulation that would have gone into effect in January 2010 (and would have required data in motion or stored on portable devices to be encrypted using 128-bit technology) was thoroughly revised to be risk-based and technology-neutral and to take into account the size, scope and type of business, the amount of resources available to the business, etc.

Don’t be an outlier. Learn what the state of the art is (the supporting and ancillary documents for the Payment Card Industry Data Security Standard are particularly useful here) and try to be in the general vicinity. If it’s too expensive, think about outsourcing the hosting or processing of personal information (but make sure you have done due diligence on the vendor and have a protective contract with them, as required by PCI DSS, HIPAA, federal banking regulations and state data security laws) or whether you even need to hold personal information in the first place. Amid the carnage and emotional trauma of a data breach, there’s no need to add legal fees, regulatory fines and tort damages to the heap of misery.

Continue Reading