Twitter learns the hard way about keeping its promises

July 8, 2010

Today’s article is a guest post from Michael Fleming (@flemingmf)
Larkin Hoffman Daly & Lindgren Ltd.

The Federal Trade Commission recently scored some big news points among the blogerati with a complaint filed against the operators of Twitter. The details were salacious, involving such things as a person gaining access to Barack Obama’s Twitter account. The complaint settled quickly, with Twitter agreeing to comply, over the next twenty years, with a list of improved data security practices. Although no monetary penalties were assessed, the settlement and “order” gives the FTC authority to assess fines in the future of up to $16,000 per violation. To some, Twitter seemed to be singled out as a rogue player that had been roped in by the sheriff.

But could most online businesses survive the same scrutiny as Twitter did? Many businesses view their privacy policy as something one grabs (sometimes copied from some other site without much thought) and posts as a matter of course in putting up a new site, often without considering whether a policy is even necessary in the first place. For those who do not take the time to put up promises they will actually follow, the Twitter settlement serves as a warning: Make privacy promises without due diligence at your peril.

One thing to keep in mind: Twitter was not faulted for a failure to meet a standard of privacy determined by the law. In fact, at least for its U.S. customers, Twitter had little or no legal obligation to make any privacy promises. But it did. Twitter’s violation was that it failed to live up to promises it made to its users in Twitter’s posted privacy policy, which U.S. law terms as an unfair and deceptive trade practice.

Twitter’s privacy policy contained glowing terms regarding their respect of its users’ privacy, as well as a number of objective statements regarding the security Twitter would put around those users’ data — essentially promising perfection, but their practices did not rise to that level. Twitter granted almost all of its employees administrator status on the deepest roots of the system, and allowed them to do so by signing on at the same public log-in page used by all. The system did not require “hard-to-guess” passwords, suspend admin accounts after multiple failed log-in attempts, require periodic password changes, or restrict administrative privileges to only those persons with a true need. As a result, the bad guys got in relatively easily and did their damage. The sheriff soon came knocking.

As a result of the recent settlement, Twitter must now craft a detailed written internal data security policy and follow it. It must provide a written justification for every statement it makes in its privacy policies and list all materials it relied upon in making those statements. Thus, if Twitter claims, “Your DM tweets will remain secret except to the recipient,” it can no longer rely on a generalized knowledge that its system was probably designed to do that. It must have on the record an audit-level analysis of how it knows that statement is actually true and that the system really works. Twitter must have periodic audits done of its system by outside security professionals, and it must keep extensive records with regard to consumer complaints and how they were resolved.

As onerous as those requirements seem, they are actually fairly routine best practices that are quite similar to long-standing practices in businesses familiar with security obligations such as banks and health care providers. Any retailer that does its own credit card processing in-house knows well these sorts of requirements, as they are very similar to what is required under the Payment Card Industry (PCI) Data Security Standards all credit card merchants must conform with.

So in a way, Twitter is being asked merely to do simple things: Do not promise that which you cannot deliver, and be ready to prove that you can deliver it.

How can other online businesses avoid a similar fate?

First: Do not make promises that are beyond those necessary. Are there statements in a privacy policy that really have little meaning to the business or that are not necessary in light of the service offering? Does the business even need to make privacy promises in the first place? Consider reviewing an existing policy, or give a deeper thought to a new policy before it is published in the first place. Cull unneeded promises. Get rid of vague or ambiguously broad statements and stick to statements that can be objectively measured. To be sure, a review may confirm the promises are needed, but the review will, at a minimum, help the business to understand not only what it is promising but why.

Second: Once the promises have been reviewed and repaired, think like a data security specialist. Put a data security plan in place to live up to the promises made, and keep records to show that it was followed. Demand that the IT team responsible for building the security system put on the record how it was done; do not be satisfied with verbal summary conclusions that they should be trusted. Hire outsiders to verify that it works. Review the plan often, since good security is a forever moving target. Keep records of problems and how they are resolved (and work fast to resolve them!).

Privacy promises can no longer just be a check-box item for any online provider, nor can they be dictated by a marketer’s wish for glowing statements of goodness and sweet honey for all. Consumers and regulators are examining these promises, and the business practices behind them, more and more each day. Make only promises that can be kept, and invest the resources to make sure they are in fact kept. Either that, or worry at night about when the FTC will be at your doorstep with your very own twenty year consent decree for you to sign.

Further reading: The FTC’s news release about the Twitter settlement and Twitter’s public response.

Michael Fleming is a shareholder with the Larkin Hoffman law firm in the Twin Cities, where he advises online businesses in their regulatory, intellectual property and general business concerns.