All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government.
But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private.
The Musk factor
Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44 billion, taking the formerly public company private. Musk immediately began personally directing many of Twitter’s actions and policies, including changes in moderation and staff. Chaos ensued, and many people — including top company officers — resigned or were fired.
Twitter’s top compliance leaders all quit. The CISO, chief privacy officer and chief compliance officer all left as well, citing their unwillingness to endorse Twitter’s new direction under Elon Musk. Two of the officers had worked at Twitter for seven years each, and the other just one year.
A data governance committee responsible for Twitter’s compliance with a Federal Trade Commission (FTC) consent decree was disbanded as a result of these resignations, and two other members of the committee were fired.
Twitter has appointed an interim data protection officer. It appears that nobody else is charged with complying with FTC and GDPR requirements. In place of sufficient compliance leadership, Twitter’s legal department is reportedly calling on engineers to “self-certify” compliance.
Violations risk billions in fines for Twitter. FTC said recently that it is “tracking recent developments at Twitter with deep concern. No CEO or company is above the law, and companies must follow our consent decrees.”
But Musk’s lawyer, Alex Spiro, reportedly said to a colleague, “Elon puts rockets into space. He’s not afraid of the FTC.”
Whether Musk is “afraid” or not, it could be that huge fines are coming his way. Again.
Twitter’s (and Musk’s) history with the FTC
Back in 2010, when Twitter was only three or four years old, the FTC complained about Twitter’s lack of safeguards around access to tweets and privacy of direct messages, despite Twitter’s public assurances to the contrary. The parties settled on Twitter’s promise that it would stop misrepresenting privacy and security controls and the FTC’s promise that it would fine Twitter if it didn’t.
Then in May of this year (well before Musk bought the company), Twitter was fined $150 million in a civil penalty for lying about its use of personal data. According to the DoJ complaint filed on behalf of the FTC, Twitter told users that they were capturing personal data for account security. They then turned around and used that data for targeted advertising. The company also agreed to offer multi-factor authentication (MFA) options that don’t require a phone number, as well as a list of other security and privacy improvements.
Musk himself has a colorful history with the FTC and the SEC, mostly stemming from tweets that had immediate impacts on the stock prices of companies he mentioned, including his own companies (Tesla and SpaceX) and his own financial interest (Bitcoin).
In September 2018, the SEC charged Musk with misleading investors with a tweet saying that he was considering taking Tesla private at $420 a share and had secured funding. The statement about funding was false, and the SEC charged Musk and Tesla with $20 million fines each. Musk later boasted that the fine was “worth it”.
How Twitter’s recent moves serve as a bad example
“Self-certification” is not a certification plan. It’s a recipe for non-compliance.
As former Facebook CSO Alex Stamos tweeted, “self-certifying” with the FTC is not a thing. Somebody will have to make assertions and answer questions on behalf of the company under legal penalty for false statements.
Twitter also risks running afoul of European regulations. As part of Musk’s mass layoffs and staff reductions, Twitter disbanded its European office in Brussels and cut its European headquarters staff in Dublin in half, raising concerns that it won’t have enough people to enforce new EU laws around the curbing of hate speech by tech companies.
A special board of directors in charge of Twitter’s compliance with Europe’s General Data Protection Regulation (GDPR) also folded after Musk fired two of its three members. One secured a court injunction forcing Twitter to keep her on as an employee.
In short, Twitter as a company appears to be de-prioritizing compliance and proceeding haphazardly and arbitrarily. It’s essentially kicking compliance problems down the road while focusing on other matters.
This is, unfortunately, a more dramatic version of how many companies handle compliance. They underfund it, delay its full implementation or treat compliance as an optional annoyance.
As with Twitter, ignoring the compliance part of the business will inevitably lead to fines, penalties and imposed requirements.
Learning from Twitter’s mistakes
In short, use Twitter as a perfect bad example. Make sure to properly staff and fund your compliance teams. Place direct and clear responsibility on qualified professionals. And get the whole organization on board.
Also, don’t do what Twitter’s doing with making up shortcuts and workarounds. Placing the responsibility for compliance on developers or other non-specialists is no substitute for a team at the top to make sure your organization meets all laws and decrees that apply. And this is especially true of any tech organization that falls under privacy regulations like the GDPR or the California Consumer Privacy Act (CCPA).
Keep an eye on what happens at Twitter. Unless Musk turns around the company’s approach to compliance, it’s not going to end well for Twitter.