On June 24, the FTC announced a proposed consent order with social networking service provider Twitter, Inc. The Twitter investigation is consistent with the FTC’s longstanding interest in policing the data privacy and security practices of social networking services, dating back to the FTC’s first online privacy case against Geocities in 1998.
Within the general framework of FTC information security jurisprudence, this investigation reflects three noteworthy developments. First, the investigation demonstrates the broad reach of FTC Act § 5 concerning data security, extending well beyond protection of the kinds of data traditionally considered sensitive (e.g., Social Security Numbers and payment card numbers). Second, the complaint introduces security expectations, concerning controlling administrator-level access to information systems, that had not been previously expressed by the FTC. Third, this enforcement action appears to show that the FTC considers the protection of personal information critical at all stages of the business lifecycle, from start-up to wind-down.
A. Data Security Obligations Are Not Limited to Sensitive Personal Information
The FTC alleges that lapses in Twitter’s data security practices resulted in unauthorized person’s gaining access to user accounts containing mobile telephone numbers, email addresses, and IP addresses. Unlike prior data security investigations, there is no allegation that unauthorized persons gained access to the traditionally identified forms of sensitive personal information, such as SSNs, financial account numbers, government ID numbers, or consumer reports. Nor is there any allegation that the affected information revealed sensitive personal characteristics (e.g., medical conditions) either directly or as revealed by purchases. There may be a number of explanations for this departure from past precedent.
1. Consumer Expectations Influence Security Obligations
All the data types affected by the security incidents suffered by Twitter were stored in areas that were allegedly described by Twitter as non-public. Hence, the FTC concerns appear to stem in part from the fact that consumers submitted such information to Twitter under the impression that Twitter would prevent unauthorized sharing. Accordingly, consumer expectations, rather than any fixed list of data elements, may dictate the steps that a company is expected to take to protect such data. Such a standard may have far reaching implications for websites, particularly those that encourage visitors to build profiles that are not intended for public display, including social networking services that offer users the option of maintaining “private” (or otherwise limited access) profiles.
2. Fraud Prevention
Among the consequences of Twitter’s alleged failure to secure its systems was the misuse of existing Twitter accounts to transmit fraudulent messages. The FTC does not discuss the public policy concerns posed by the transmission of fraudulent messages in any great detail. Nonetheless, concerns likely include reputational damage, particularly for public figures and businesses (e.g., the Twitter incident resulted in fraudulent tweets transmitted from the accounts of President Barack Obama and Fox News). In addition, recent press reports indicate that criminals have used compromised social network accounts to attack the account holder’s friends list with messages containing malicious software or fraudulent pleas for money.
B. Securing Administrator Level System Access
The attacks perpetrated against Twitter allegedly exploited weaknesses in the security measures used to limit administrator level access. Because administrator level privileges allow users to manipulate the settings and content of individual user accounts, the attackers were then able to take control of numerous accounts to view private information and engage in fraudulent activity.
The specific security lapses cited by the FTC included the failure to:
- establish or enforce strong password policies;
- prevent the storage of administrative passwords in plaintext in employees’ private email accounts;
- suspend or disable administrative accounts after a number of failed login attempts;
- provide a separate login page for administrative access the address of which was made known only to authorized users;
- enforce periodic changes of administrative passwords (e.g., 90-day expiration);
- restrict access to administrative controls based on employees’ job functions; and
- impose other restrictions on administrative access, such as by restricting access to specified IP addresses.
Many of these lapses are inconsistent with well established information security practices established in prior FTC enforcement actions and commonly-followed industry standards such as ISO 270002 and NIST Special Publication 800-53. However, two issues identified by the FTC may indicate new obligations for entities that handle or process personal information.
1. Separate Administrator Level User Access Points
The FTC indicates that website administrator login pages should be maintained separate from general published login pages and that these pages be made known only to authorized users. While this is a best practice for information security, it is not common today. Even websites that provide a link on certain pages that lead to the administrator access page would likely be expected to remove any such links from webpages commonly viewed by visitors.
2. Heightened Authentication Requirements for Administrator Level Users
Second, the FTC refers to the use of IP restrictions as an example of reasonable restrictions on administrative access. It Is not clear this means that all systems are expected to implement IP address restrictions (which may not be a particularly reasonable measure for many businesses). Nevertheless, it does appear that the FTC believes simple single factor authentication of users (such as requiring only a password) to be inadequate for administrator level access to systems containing personal information. Alternative measures to ensure that only authorized persons can gain administrator level access may include implementation of multifactor authentication, such as requiring the use of a password in combination with a biometric scanner (e.g., fingerprint scanner or voice print scanner), smart card scanner, or physical token (e.g., RSA’s SecurID products).
C. Data Protection is Important Throughout the Life of a Business
It should be noted that during most of the time period during which the events leading to this enforcement action occurred, Twitter was a start up venture. Accordingly, the company did not necessarily possess all the resources and organizational structure of a longstanding enterprise. The FTC appears to be unconcerned by this distinction. In light of the FTC’s previous enforcement action arising from the bankruptcy dissolution of Toysmart, it appears that the FTC has adopted the position that protection of personal information is a critical responsibility at every stage of a business’ life – from initial market entry to ultimate exit.