Twitter Ramps Up Regulatory Exposure After Loss of CISODeadlines Coming Due Under US FTC Consent Order
Senior executives at Twitter responsible for security, privacy and compliance resigned from the company, multiple media outlets report - marking an escalation in regulatory exposure for the beleaguered social media platform and its new owner, Elon Musk.
See Also: 2022 Unit 42 Incident Response Report
Lea Kissner, appointed chief information security officer in January, confirmed their individual resignation, tweeting that they had made "the hard decision" to leave the company.
Chief Privacy Officer Damien Kieran and Chief Compliance Officer Marianne Fogarty did not immediately respond to requests for comment. "I don’t watch Game of Thrones. I certainly don’t want to play it at work," Fogarty tweeted Monday, referring to the HBO series in which multiple characters die while attempting to obtain power.
Twitter has been in disarray in the 14 days since the world's richest man, Elon Musk, walked into Twitter's San Francisco office carrying a sink hours away from finalizing his $44 billion acquisition of the company.* Musk has since laid off roughly half the 7,500-employee workforce, sent and deleted a link to a conspiracy theory, launched and unlaunched product features and threatened "thermonuclear name & shame" to advertisers pulling out from the platform. Twitter's new verification scheme has resulted in a flood of verified but actually fake accounts, such as the supposed account of a former U.S. president reminiscing, "I miss killing Iraqis."
Although no longer publicly traded, Twitter is still legally obligated to appoint a senior staffer to handle cybersecurity and privacy issues. It entered into a consent order with the U.S. Federal Trade Commission in May binding it to maintain a privacy and information security program for the next two decades. The agreement with Twitter ended an investigation into Twitter's use of phone numbers and email addresses for advertising purposes when they were collected to be used for multifactor authentication. Twitter also paid a $150 million civil penalty.
Among the program's requirements is designating a "qualified employee or employees to coordinate and be responsible" for the program.
The order also directs Twitter to assess risks to privacy and security before implementing product changes and annual assessments of its privacy and security controls and cooperating with biennial third-party assessments.
The company faces a Jan. 21, 2023, deadline for submitting to the agency a report made under penalty of perjury attesting to implementation of the order. Finding an executive willing to sign that report may be problematic, said Megan Gray, a former FTC enforcement attorney and former tech company corporate counsel. Executives at the company and possibly the trio that left are probably "no longer confident that the company is going to uphold the legal obligations vis-a-vis them, individually," she said.
The agency "has made it very clear they're going after executives," she added.
An FTC spokeswoman told Information Security Media Group that the agency is "tracking recent developments at Twitter with deep concern. No CEO or company is above the law, and companies must follow our consent decrees."
Alex Spiro, an attorney from Musk's inner circle and the new head of legal at Twitter, reportedly has discounted the possibility of FTC enforcement, and an internal Slack message quotes him as stating, "Elon puts rockets into space, he's not afraid of the FTC."
Twitter did not respond to a request for comment.
*Correction Nov. 11, 2022 15:51 UTC: Corrects timeline about Musk acquisition. When he walked into the Twitter lobby carrying a sink, he was about to close the deal; he did not yet finalize it.