July 7, 2010
Today’s article is a guest post from Michael Fleming (@flemingmf)
Larkin Hoffman Daly & Lindgren Ltd.
The Federal Trade Commission recently scored some big news points among the blogerati with a complaint filed against the operators of Twitter. The details were salacious, involving such things as a person gaining access to Barack Obama’s Twitter account. The complaint settled quickly, with Twitter agreeing to comply, over the next twenty years, with a list of improved data security practices. Although no monetary penalties were assessed, the settlement and “order” gives the FTC authority to assess fines in the future of up to $16,000 per violation. To some, Twitter seemed to be singled out as a rogue player that had been roped in by the sheriff.
As a result of the recent settlement, Twitter must now craft a detailed written internal data security policy and follow it. It must provide a written justification for every statement it makes in its privacy policies and list all materials it relied upon in making those statements. Thus, if Twitter claims, “Your DM tweets will remain secret except to the recipient,” it can no longer rely on a generalized knowledge that its system was probably designed to do that. It must have on the record an audit-level analysis of how it knows that statement is actually true and that the system really works. Twitter must have periodic audits done of its system by outside security professionals, and it must keep extensive records with regard to consumer complaints and how they were resolved.
As onerous as those requirements seem, they are actually fairly routine best practices that are quite similar to long-standing practices in businesses familiar with security obligations such as banks and health care providers. Any retailer that does its own credit card processing in-house knows well these sorts of requirements, as they are very similar to what is required under the Payment Card Industry (PCI) Data Security Standards all credit card merchants must conform with.
So in a way, Twitter is being asked merely to do simple things: Do not promise that which you cannot deliver, and be ready to prove that you can deliver it.
How can other online businesses avoid a similar fate?
Second: Once the promises have been reviewed and repaired, think like a data security specialist. Put a data security plan in place to live up to the promises made, and keep records to show that it was followed. Demand that the IT team responsible for building the security system put on the record how it was done; do not be satisfied with verbal summary conclusions that they should be trusted. Hire outsiders to verify that it works. Review the plan often, since good security is a forever moving target. Keep records of problems and how they are resolved (and work fast to resolve them!).
Privacy promises can no longer just be a check-box item for any online provider, nor can they be dictated by a marketer’s wish for glowing statements of goodness and sweet honey for all. Consumers and regulators are examining these promises, and the business practices behind them, more and more each day. Make only promises that can be kept, and invest the resources to make sure they are in fact kept. Either that, or worry at night about when the FTC will be at your doorstep with your very own twenty year consent decree for you to sign.
Michael Fleming is a shareholder with the Larkin Hoffman law firm in the Twin Cities, where he advises online businesses in their regulatory, intellectual property and general business concerns.