Legal: Privacy Lessons from the Twitter Breach

Earlier this year the Federal Trade Commission (FTC) settled a case with Twitter regarding, in the opinion of the FTC, lax electronic administration of Twitter’s website. This case provides insight into what is required in privacy policies and what administrative controls are required.

Twitter Was Hacked

The FTC initiated proceedings against Twitter based on the actions in 2009 of two hackers who took control of the administrative processes of Twitter, which resulted in access to private personal information of users and the ability to create tweets under another person’s user name. (See The New York Times’ account of the breach at “Twitter Settles F.T.C. Privacy Case.”) The FTC charged Twitter with lax administrative controls for date security. The hackers were able to gain access through an automated password-guessing tool that found an administrative password that was a common dictionary word. From there, the hacker was able to use the password to reset passwords for users and gain access to personal accounts. Another hacker was able to gain access to the personal email account of an employee of Twitter. The employee had stored administrative passwords in that personal email account, which allowed the hacker to gain access to Twitter’s administrative controls.

What’s in the Privacy Policy?

Because Twitter’s privacy policy stated that it would employ administrative, physical, and electronic measures to protect information from unauthorized access, the FTC held it to that standard. The FTC took that standard and applied it to Twitter’s administrative controls and alleged that it failed to take reasonable steps to require passwords that were difficult to guess and prohibit employees from storing passwords within their personal email accounts. The passwords also were not disabled after a number of failed attempts at login. Twitter did not require periodic password changes or restrict administrative controls to employees on an as needed basis.

The FTC found that Twitter did not use standard reasonable security practices and did not follow its own privacy policy, which made promises to its users to keep information secure.

Three Steps to Protect Your Business

What can you do to protect yourself from the FTC and claims by your users?

  1. Read your privacy policy. Many website owners do not know what their privacy policy requires them to do. You must understand what your privacy policy says and what it is requiring you to do.

  2. Develop an internal policy. You should have an internal administrative policy that all employees should follow that address storage, use, types, and periodic changes of passwords. Also, it should address use and access of personal information collected from the users and where that information is stored.

  3. Disclose uses of data collected. Address in your privacy policy how you plan on using data collected, including the following points:

    • Individuals should be clearly advised of the type of personal data being collected;
    • The intended uses and users of personal data should be identified;
    • Describe the security measures intended to protect the personal data from unauthorized access;
    • Describe a means through which users can review their personal data and correct or contest it;
    • Special measures need to be included for personal information of children if it is collected. Companies that collect data from or about children should provide a means through which parental authorization will be obtained.

    This is not an exhaustive list of items and you should review your privacy policy with “standard reasonable security practices” in mind. You should periodically review and audit your procedures to see what is working and what is not working. You should determine if you are continuing to consistently do what you said you would do in your privacy policy. Also, if you share any user information with other companies, you should have contracts with those companies requiring that user information be protected at a minimum under your privacy and security measures, and limit use of the information.


If you consistently follow the items above, you should be protected and prepared if a user or the FTC inquire about your use and protection of private information. You cannot reasonably protect against every incident, but if you have procedures in place to deal with a breach and have consistently applied those measures, you will most likely have met the standard reasonableness test that the FTC requires.

Jeff Jacobson, Jd, Llm
Jeff Jacobson, Jd, Llm
Bio   •   RSS Feed