On Friday, March 11, 2011, the Federal Trade Commission issued a press release announcing that, by a 5-0 vote, the Commissioners had approved a settlement with Twitter, stemming from charges that the social media and social networking site had deceived consumers by failing to protect personal information and potentially compromising their privacy. Last June, the FTC had charged Twitter with lapses in data security sufficiently serious that hackers were able to compromise administrative control, including both non-public user information and consumers’ private tweets. Hackers could send out fraudulent phony or spoofed tweets from virtually any user’s account. The complaint originally filed against Twitter alleged that there were at least two instances where hackers were able to get control in early 2009, although it is possible there were other times as well.
Although a settlement finalized in a consent agreement doesn’t amount to an admission of liability or a violation of any law or regulation, a final consent order does have the force of law against the company going forward. In this case, Twitter has agreed that for the next 20 years it will (a) not mislead consumers about the extent to which it protects the security, privacy and confidentiality of nonpublic consumer information, (b) respect and honor consumers’ privacy choices, and (c) not mislead consumers about what it does or how safe the mechanisms are that are designed to prevent unauthorized access. Twitter also agreed that every two years for the next ten years, it will have an independent auditor review and evaluate Twitter’s information security program.