Francoise Gilbert
Security is not just for credit card and social security numbers
The proliferation of security breach disclosure laws has brought companies’ attention to the need to protect financial information, social security, and drivers license numbers. Since most of these laws target only these categories of data, and most state laws that require the use security measures also have focused on these categories of data, many companies have limited their information security efforts to the protection of a small amount of data: credits cards, social security and drivers license numbers. As a result, other categories of data that have not been in the limelight or the subject of investigative reporting have been neglected.
The recent FTC action against Twitter provides a significant warning that information security measures must not be limited to a small set of data. Rather, companies that collect personal data must provide adequate security measures to all types of data in their custody, according to the nature and probability of the risks to which these data are exposed. Each category of data is to be protected with measures that are appropriate to the nature of these data, the risks to these data, and the promises made by the company to its users.
Series of Security Breaches
Not so long ago, Twitter was an early stage start-up with a tight budget. As such, the company had its own ways of doing business on a dime. The company grew very quickly to become a prominent social networking company with users on all continents. However, in the course of this commercial expansion, it failed to adapt its security practices to the magnitude of its reputation and nature of its subscribers.
A succession of security breaches in January through May 2009 revealed significant deficiencies to the Twitter information systems and networks. During this period, Twitter suffered security breaches that allowed hackers to access users’ accounts and non-public personal data, such as email and IP address and mobile phone number. The hackers were also able to reset passwords and send messages from user accounts. Among the widely reported hacks were fake tweets purportedly from sources such as then-President elect Obama and Fox News.
Access to user accounts was possible due to inadequate administrative controls. According to the FTC complaint, hackers accessed Twitter’s administrative accounts by submitting “thousands of guesses” using a password guessing tool. It was not that difficult to guess the passwords of the administrative accounts because many passwords were a dictionary word without numbers or other characters.
Failure to provide reasonable and appropriate security
In its privacy policy, Twitter claimed that it employed “administrative, physical, and electronic measures designed to protect” nonpublic user information from unauthorized access. It also stated on its website that direct messages “are not public; only author and recipient can view direct messages” and that if users did not want to keep their account public they could make their account private, which would give users control over who follows them and who can view their tweets.
The FTC investigation, however, revealed that for three years from July 2006 to July 2009, Twitter did not take reasonable and appropriate measures to prevent unauthorized administrative control of its system. Among the deficiencies, the FTC found that Twitter failed to:
- Require administrative passwords to be complex;
- Prohibit administrative passwords from being stored in plain text in personal email accounts;
- Disable or suspend administrative accounts after a certain number of unsuccessful login attempts;
- Provide an administrative login page exclusive to authorized persons and separate from the login webpage provided to other users;
- Require and enforce that administrative passwords be changed periodically;
- Restrict access to administrative controls to only those who need access;
- Impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
Consent Decree
The proposed consent decree, for which comments were to be sent by July 26, 2010, provides that Twitter, Inc. will enter into a consent agreement for its violation of Section 5 of the FTC Act. Under the terms of the settlement, Twitter is barred for 20 years from misleading its users about the extent to which it protects the security, privacy, and security of non-public consumer information. The agreement requires Twitter to establish, implement, and maintain a comprehensive information security program that is “reasonably designed to protect the security, privacy, confidentiality, and integrity” of nonpublic user information.
The program must be documented in writing and must contain appropriate administrative, technical, and physical safeguards. The safeguards must be appropriate to Twitter’s size and complexity, the nature and scope of its activities, and the sensitivity of the nonpublic user information. Among other things, Twitter must:
- Designate an employee to be responsible for coordinating the information security program.
- Identify reasonably foreseeable, internal and external material risks that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or compromise of nonpublic user information, and assess the adequacy of the safeguards in place to control these risks.
- Design and implement reasonable safeguards to control the risks identified through risk assessment;
- Regularly test and monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
- Take reasonable steps to select service providers capable of appropriately safeguarding nonpublic user information and entering into a contract that requires them to implement and maintain appropriate safeguards.
- Periodically evaluate and adjust its information security program.
In addition, Twitter must obtain assessments and reports on the efficacy of its security program, from a qualified independent third party professional every two years for 10 years. The assessment must include a review of the administrative, technical, and physical safeguards that Twitter has implemented and maintained during the reporting period; an explanation of how the safeguards are appropriate to Twitter; and an explanation how the safeguards meet or exceed the requirements set out above.
Lessons from the Twitter Case
Since the late 1990’s, the Federal Trade Commission has developed a common law of privacy and data protection that was based on the FTC Act Section 5 bar against unfair and deceptive trade practices. Numerous FTC enforcement actions have targeted companies that suffered a breach of security that compromised financial information, credit information, or credit card information.
In its first case against a social networking site regarding information security, the FTC passes in a higher gear, and reminds companies of the need to apply adequate security measures to all information, and not just to credit card and social security numbers.
The significance of the Twitter case is not that it is the first case that targets a social networking company. What is more important is that the case focuses on the protection of data other than “the big four” (i.e. social security, drivers license, financial, and credit card information). The Twitter case is an important reminder that a company information security plan must address all categories of personal data that the company collects or hosts, and provide for each category of data such level of information as reasonably adapted to the nature of the information and the risks to this information.
Twitter has learned the hard way that its unique power to reach the world in a few seconds is assorted with a commensurate obligation to protect adequately that same information that is needed to launch a tweet. Like Twitter, each company has its own set of data, with its own unique vulnerability. It needs to address these vulnerabilities in accordance to the level of risk to each category of data, which is unique to the particular circumstances of the company.