After losing thousands of employees and top compliance officials at
“I understand that there have been employees at Twitter who do not even work on the FTC matter commenting that they could go to jail if we were not in compliance -- that is simply not how this works,” the
An information security team at
Spiro said Twitter had spoken to the FTC and has its first compliance check upcoming. “The legal department is handling it,” he said in his note.
The move to scrap the six-person information security team was combined with layoffs of at least a dozen other employees working on security, privacy and compliance issues at the company, the people said. The full size of those teams wasn’t immediately available.
The layoffs and departures are particularly noteworthy at a company that is under an FTC consent decree in which it agreed to better protect users’ personal data and also has to submit to regular audits of its privacy and data security systems. Twitter has been sharply criticized by former employees for security lapses, and in May was subject to a $130 million fine as part of a settlement with the FTC and Department of Justice over data privacy.
The information security team was focused on third-party risk management and was responsible for providing security assurances to advertisers that work with Twitter and share data with the company, according to the two people familiar with the matter, who spoke on condition of anonymity as they aren’t authorized to discuss the situation publicly.
The team also monitored Twitter’s sharing of user data with dozens of commercial partners and research organizations, some of whom have access to a programming interface that can be used to view sensitive non-public information about Twitter users, such as location data, IP addresses and unique device identification codes, the people said.
“The people at Twitter doing the checks on that access are simply not there anymore,” one of the people said, adding that the privacy and security of user data has been put at risk as a result.
The work carried out by the laid off information security team was partly intended to ensure compliance with a consent decree issued by the FTC in March 2011, according to the people. The decree, effective until 2042, ordered that Twitter must establish and maintain “a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of non-public consumer information.” Violations of the decree can result in large fines.
On Thursday, a leader on Twitter’s legal team circulated an internal note that warned employees the company would, going forward, ask engineers to self-certify compliance with FTC requirements, according to a memo viewed by Bloomberg.
“This will put huge amount of personal, professional and legal risk onto engineers,” wrote the unnamed member of the legal team. “I anticipate that all of you will be pressured by management into pushing out changes that will likely lead to major incidents.”
In a statement, the FTC wrote it was tracking recent developments at Twitter with “deep concern.” The agency added that no CEO or company is “above the law,” and companies must follow consent decrees.
Twitter’s cybersecurity policies have previously faced criticism after high-profile data breaches. In 2014 and 2015, Saudi Arabia recruited spies inside the company and used them to obtain information on dissidents operating on the platform anonymously,
While rare, there have been instances of personal liability for executives at companies from security breaches. Former Uber security head Joe Sullivan was
--With assistance from
© 2022 Bloomberg L.P. All rights reserved. Used with permission.