After losing thousands of employees and top compliance officials at Twitter Inc., Elon Musk’s aides are racing to contain growing concerns that staff are responsible for security lapses.
After losing thousands of employees and top compliance officials at Twitter Inc., Elon Musk’s aides are racing to contain growing concerns that staff are responsible for security lapses.
Musk’s attorney, Alex Spiro, who is leading the legal team following the billionaire’s takeover, tried to assure employees they would not go to jail if the company is found to have violated a Federal Trade Commission consent decree. , according to a message seen by Bloomberg.
“I understand there have been employees on Twitter who don’t even work on the FTC issue saying they could go to jail if we didn’t comply, that’s just not how this works,” said Quinn Emanuel Urquhart & Sullivan LLP. the lawyer wrote. “It is the obligation of the company. It is the burden of the company. It is the responsibility of the company”.
An information security team at Twitter that oversaw the sharing of user data with advertisers and research partners was fired after the acquisition, a move that raised internal concerns about vulnerability to security threats and possible rule violations. from the FTC, according to two people familiar with the matter. .
The layoffs, which began on November 3 and affected 50% of all Twitter employees, helped create a chaotic environment within the company and were followed this week by the resignations of top executives, including the company’s chief security officer. information, Lea Kissner, the chief privacy officer, Damien Kieran. and Chief Compliance Officer Marianne Fogarty.
Spiro said that Twitter had spoken with the FTC and has its first compliance check coming soon. “The legal department is handling it,” he said in his note.
The decision to remove the six-person information security team was combined with the firing of at least a dozen other employees who worked on security, privacy and compliance issues at the company, the people said. The full size of those teams was not immediately available.
The layoffs and departures are particularly notable at a company that is under an FTC consent decree in which it has agreed to better protect users’ personal data and also has to undergo regular audits of its privacy and data security systems. Twitter has been heavily criticized by former employees for security lapses, and in May was subject to a $130 million fine as part of a settlement with the FTC and the Justice Department over data privacy.
The information security team focused on third-party risk management and was responsible for providing security guarantees to advertisers who work with Twitter and share data with the company, according to two people familiar with the matter, who spoke on condition of anonymity. they are not authorized to discuss the situation publicly.
The team also oversaw the sharing of Twitter user data with dozens of business partners and research organizations, some of which have access to a programming interface that can be used to view sensitive, nonpublic information about Twitter users, such as location data, IP addresses and unique device identification codes, the people said.
“The Twitter people who check that access are just not there anymore,” one of the people said, adding that the privacy and security of user data has been put at risk as a result.
The work done by the laid-off information security team was intended in part to ensure compliance with a consent decree issued by the FTC in March 2011, according to the people. The executive order, effective until 2042, mandated that Twitter must establish and maintain “a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information.” Violations of the decree can result in large fines.
On Thursday, a leader of Twitter’s legal team circulated an internal memo warning employees that in the future the company would ask engineers to self-certify compliance with FTC requirements, according to a memo seen by Bloomberg.
“This will pose a great deal of personal, professional, and legal risk to the engineers,” the unnamed member of the legal team wrote. “I anticipate that all of you will be pressured by management to push for changes that will likely lead to major incidents.”
In a statement, the FTC wrote that it was following recent developments on Twitter with “deep concern.” The agency added that no CEO or company is “above the law,” and companies must follow consent decrees.
Twitter’s cybersecurity policies have previously faced criticism following high-profile data leaks. In 2014 and 2015, Saudi Arabia recruited spies from within the company and used them to obtain information on dissidents operating on the platform anonymously, according to US prosecutors. In 2020, a Florida teenager was accused of compromising the accounts of prominent people, including Musk and US President Joe Biden, and using them to promote a cryptocurrency scam.
In September, Peiter Zatko, Twitter’s former security chief known as “Mudge,” told the Senate Judiciary Committee that the company had poor security practices, leaving it vulnerable to “teenagers, thieves and spies.” He said Twitter’s leadership had “ignored their engineers” in part because “their executive incentives led them to prioritize profit over security.”
While rare, there have been cases of personal liability for company executives for security breaches. Former Uber security chief Joe Sullivan was found guilty in federal court in San Francisco in a case that stemmed from a 2016 hack, details of which he tried to keep hidden. Part of the charges against Sullivan relate to the fact that Uber has an order with the FTC and is required to disclose violations.