Earlier this year the Federal Trade Commission (FTC) settled a case with Twitter regarding, in the opinion of the FTC, lax electronic administration of Twitter’s website. This case provides insight into what is required in privacy policies and what administrative controls are required.
Twitter Was Hacked
The FTC initiated proceedings against Twitter based on the actions in 2009 of two hackers who took control of the administrative processes of Twitter, which resulted in access to private personal information of users and the ability to create tweets under another person’s user name. (See The New York Times’ account of the breach at “Twitter Settles F.T.C. Privacy Case.”) The FTC charged Twitter with lax administrative controls for date security. The hackers were able to gain access through an automated password-guessing tool that found an administrative password that was a common dictionary word. From there, the hacker was able to use the password to reset passwords for users and gain access to personal accounts. Another hacker was able to gain access to the personal email account of an employee of Twitter. The employee had stored administrative passwords in that personal email account, which allowed the hacker to gain access to Twitter’s administrative controls.
Three Steps to Protect Your Business
What can you do to protect yourself from the FTC and claims by your users?
Develop an internal policy. You should have an internal administrative policy that all employees should follow that address storage, use, types, and periodic changes of passwords. Also, it should address use and access of personal information collected from the users and where that information is stored.
- Individuals should be clearly advised of the type of personal data being collected;
- The intended uses and users of personal data should be identified;
- Describe the security measures intended to protect the personal data from unauthorized access;
- Describe a means through which users can review their personal data and correct or contest it;
- Special measures need to be included for personal information of children if it is collected. Companies that collect data from or about children should provide a means through which parental authorization will be obtained.
If you consistently follow the items above, you should be protected and prepared if a user or the FTC inquire about your use and protection of private information. You cannot reasonably protect against every incident, but if you have procedures in place to deal with a breach and have consistently applied those measures, you will most likely have met the standard reasonableness test that the FTC requires.