After losing hundreds of workers and senior compliance officials at Twitter Inc., Elon Musk’s deputies are hurrying to quell rising worries that personnel will be held accountable for security violations.
Bloomberg obtained a message in which Musk’s attorney Alex Spiro, who is leading the legal team after the billionaire’s takeover, attempted to reassure staff that they would not go to prison if the firm is found to have violated a Federal Trade Commission consent agreement.
According to an earlier Insider report, a lawyer for Quinn Emanuel Urquhart & Sullivan LLP wrote in a memo, “I understand that there have been Twitter employees who do not even work on the FTC matter stating that they could go to jail if we were not in compliance — that is simply not how this works.” “It is the company’s responsibility. It is the weight of the business.”
According to two individuals familiar with the subject, Twitter’s information security staff that controlled the sharing of user data with advertising and research partners was let off after the acquisition, triggering internal worries about security vulnerabilities and possible FTC violations.
Spiro said that Twitter has spoken with the FTC and will undergo its first compliance audit soon. In his message, he said, “The legal department is addressing the matter.”
The decision to eliminate the six-person information security team was accompanied by the layoffs of at least a dozen other workers at the firm who worked on security, privacy, and compliance concerns, according to the sources. The total size of these teams was unavailable at the time of writing.
Particularly notable are the layoffs and departures at a corporation subject to an FTC consent order in which it pledged to better secure customers’ personal data and is also required to submit to regular audits of its privacy and data security systems. Former workers have harshly criticised Twitter for security failings, and the company was fined $130 million in May as part of a data privacy deal with the FTC and Department of Justice.
The information security team was responsible for third-party risk management and providing security assurances to advertisers who work with Twitter and share data with the company, according to two people familiar with the matter who spoke on the condition of anonymity because they were not authorised to discuss the matter publicly.
As a consequence, the privacy and security of user data is at danger, according to one of the individuals.
According to sources, a portion of the work performed by the laid-off information security staff was meant to verify compliance with an FTC consent order announced in March 2011. Effective until 2042, the decision requires Twitter to implement and maintain “a robust information security programme that is intended to preserve the security, privacy, confidentiality, and integrity of non-public consumer information.” Large penalties might occur from violations of the order.
According to a message seen by Bloomberg, a senior on Twitter’s legal team cautioned staff on Thursday that the business will in the future force engineers to self-certify compliance with FTC standards.
The anonymous member of the legal team wrote, “This will expose engineers to significant personal, professional, and legal risks.” “I expect that management will exert pressure on all of you to implement changes that will likely result in severe accidents.”
In a statement, the FTC expressed “grave worry” about recent events at Twitter. The agency stated that no CEO or business is “above the law” and that businesses must adhere to consent decrees.
In the past, Twitter’s cybersecurity practises have been criticised after high-profile data breaches. According to U.S. authorities, in 2014 and 2015, Saudi Arabia hired spies inside the corporation and employed them to acquire information on dissidents using the site anonymously. A Florida youngster was charged in 2020 with hacking the accounts of notable individuals, including Elon Musk and Joe Biden, and using them to promote a cryptocurrency fraud.
Peiter Zatko, formerly the chief of security at Twitter and known as “Mudge,” testified before the Senate Judiciary Committee in September that the company’s inadequate security policies rendered it exposed to “teenagers, criminals, and spies.” According to him, Twitter’s leadership “ignored its engineers” in part because “executive incentives encouraged them to put profit above security.”
Although uncommon, there have been cases of CEOs being held personally liable for security breaches. Former Uber head of security Joe Sullivan was found guilty in San Francisco federal court in a case involving a 2016 breach whose details he attempted to conceal. Part of the accusations against Sullivan relates to the fact that Uber is compelled to report security vulnerabilities by FTC order.