All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government.

But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private.

The Musk Factor

Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44 billion, taking the formerly public company private. Musk immediately began personally directing many of Twitter’s actions and policies, including changes in moderation and staff. Chaos ensued, and many people — including top company officers — resigned or were fired.

Twitter’s top compliance leaders all quit. The CISO, chief privacy officer and chief compliance officer all left as well, citing their unwillingness to endorse Twitter’s new direction under Elon Musk. Two of the officers had worked at Twitter for seven years each, and the other just one year.

A data governance committee responsible for Twitter’s compliance with a Federal Trade Commission (FTC) consent decree was disbanded as a result of these resignations, and two other members of the committee were fired.

Twitter has appointed an interim data protection officer. It appears that nobody else is charged with complying with FTC and GDPR requirements. In place of sufficient compliance leadership, Twitter’s legal department is reportedly calling on engineers to “self-certify” compliance.

Violations risk billions in fines for Twitter. FTC said recently that it is “tracking recent developments at Twitter with deep concern. No CEO or company is above the law, and companies must follow our consent decrees.”

But Musk’s lawyer, Alex Spiro, reportedly said to a colleague, “Elon puts rockets into space. He’s not afraid of the FTC.”

Whether Musk is “afraid” or not, it could be that huge fines are coming his way. Again.

Twitter’s (and Musk’s) History With the FTC

Back in 2010, when Twitter was only three or four years old, the FTC complained about Twitter’s lack of safeguards around access to tweets and privacy of direct messages, despite Twitter’s public assurances to the contrary. The parties settled on Twitter’s promise that it would stop misrepresenting privacy and security controls and the FTC’s promise that it would fine Twitter if it didn’t.

Then in May of this year (well before Musk bought the company), Twitter was fined $150 million in a civil penalty for lying about its use of personal data. According to the DoJ complaint filed on behalf of the FTC, Twitter told users that they were capturing personal data for account security. They then turned around and used that data for targeted advertising. The company also agreed to offer multi-factor authentication (MFA) options that don’t require a phone number, as well as a list of other security and privacy improvements.

Musk himself has a colorful history with the FTC and the SEC, mostly stemming from tweets that had immediate impacts on the stock prices of companies he mentioned, including his own companies (Tesla and SpaceX) and his own financial interest (Bitcoin).

In September 2018, the SEC charged Musk with misleading investors with a tweet saying that he was considering taking Tesla private at $420 a share and had secured funding. The statement about funding was false, and the SEC charged Musk and Tesla with $20 million fines each. Musk later boasted that the fine was “worth it”.

How Twitter’s Recent Moves Serve as a Bad Example

“Self-certification” is not a certification plan. It’s a recipe for non-compliance.

As former Facebook CSO Alex Stamos tweeted, “self-certifying” with the FTC is not a thing. Somebody will have to make assertions and answer questions on behalf of the company under legal penalty for false statements.

Twitter also risks running afoul of European regulations. As part of Musk’s mass layoffs and staff reductions, Twitter disbanded its European office in Brussels and cut its European headquarters staff in Dublin in half, raising concerns that it won’t have enough people to enforce new EU laws around the curbing of hate speech by tech companies.

A special board of directors in charge of Twitter’s compliance with Europe’s General Data Protection Regulation (GDPR) also folded after Musk fired two of its three members. One secured a court injunction forcing Twitter to keep her on as an employee.

In short, Twitter as a company appears to be de-prioritizing compliance and proceeding haphazardly and arbitrarily. It’s essentially kicking compliance problems down the road while focusing on other matters.

This is, unfortunately, a more dramatic version of how many companies handle compliance. They underfund it, delay its full implementation or treat compliance as an optional annoyance.

As with Twitter, ignoring the compliance part of the business will inevitably lead to fines, penalties and imposed requirements.

Learning from Twitter’s Mistakes

In short, use Twitter as a perfect bad example. Make sure to properly staff and fund your compliance teams. Place direct and clear responsibility on qualified professionals. And get the whole organization on board.

Also, don’t do what Twitter’s doing with making up shortcuts and workarounds. Placing the responsibility for compliance on developers or other non-specialists is no substitute for a team at the top to make sure your organization meets all laws and decrees that apply. And this is especially true of any tech organization that falls under privacy regulations like the GDPR or the California Consumer Privacy Act (CCPA).

Keep an eye on what happens at Twitter. Unless Musk turns around the company’s approach to compliance, it’s not going to end well for Twitter.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…