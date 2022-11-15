verified Twitter account Canva Pro

Following the loss of thousands of employees and top compliance officials at Twitter Inc., Elon Musk's deputies are racing to quell growing fears that employees will be held accountable for security lapses.

According to a message seen by Bloomberg, Musk's lawyer Alex Spiro, who is guiding the legal team following the billionaire's acquisition, sought to reassure employees that they would not go to jail if the company is found in violation of a Federal Trade Commission consent decree.

"I understand that there have been employees at Twitter who do not even work on the FTC matter commenting that if we were not in compliance, they could go to jail — that is simply not how this works," the Quinn Emanuel Urquhart & Sullivan LLP lawyer wrote. "It is the company's responsibility."

An information security team at Twitter that oversaw sharing of user data with advertisers and research partners was laid off after the takeover, a move that triggered internal concerns about vulnerability to security threats and potential violations of FTC rules, according to two people familiar with the matter.

The layoffs, which started November 3 and affected 50% of all Twitter employees, have contributed to a chaotic atmosphere within the company and were followed this week by the resignations of senior executives, including Chief Information Security Officer Lea Kissner, Chief Privacy Officer Damien Kieran, and Chief Compliance Officer Marianne Fogarty.

Spiro stated that Twitter had spoken with the FTC and that its first compliance check was scheduled. "The legal department is dealing with it," he wrote in his note.

According to the people, the decision to eliminate the six-person information security team was combined with the layoffs of at least a dozen other employees working on security, privacy, and compliance issues at the company. The total number of teams was not immediately available.

The layoffs and departures are especially notable at a company that is subject to an FTC consent decree under which it agreed to better protect users' personal data and is also subject to regular audits of its privacy and data security systems. Former employees have harshly criticized Twitter for security flaws, and the company was fined $130 million in May as part of a data privacy settlement with the FTC and the Department of Justice.

According to two people familiar with the situation, who spoke on the condition of anonymity because they aren't authorized to discuss the situation publicly, the information security team was focused on third-party risk management and was responsible for providing security assurances to advertisers who work with Twitter and share data with the company.

According to the people, the team also tracked Twitter's sharing of user data with dozens of commercial partners and research organizations, some of which have access to a programming interface that can be used to view sensitive non-public information about Twitter users, such as location data, IP addresses, and unique device identification codes.

"The people at Twitter who were checking on that access are simply no longer there," one of the people said, adding that the privacy and security of user data have been jeopardized as a result.

According to the people, the work done by the laid-off information security team was partly intended to ensure compliance with a consent decree issued by the FTC in March 2011. Twitter was ordered to establish and maintain "a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of non-public consumer information" until 2042, according to the decree. Violations of the decree may result in significant fines.

According to a memo obtained by Bloomberg, a leader on Twitter's legal team circulated an internal note on Thursday warning employees that the company would, in the future, ask engineers to self-certify compliance with FTC requirements.

"This will expose engineers to a significant amount of personal, professional, and legal risk," wrote an unnamed member of the legal team. "I anticipate that management will put pressure on all of you to implement changes that will almost certainly result in major incidents."

The FTC stated in a statement that it was monitoring recent developments at Twitter with "deep concern." According to the agency, no CEO or company is "above the law," and businesses must abide by consent decrees.

Twitter's cybersecurity policies have previously come under fire following high-profile data breaches. According to US prosecutors, Saudi Arabia recruited spies within the company in 2014 and 2015 and used them to gather information on dissidents operating anonymously on the platform. In 2020, a Florida teenager was charged with hacking into the accounts of prominent people, including Musk and US Vice President Joe Biden, and using them to promote a cryptocurrency scam.

Peiter Zatko, Twitter's former head of security known as "Mudge," told the Senate Judiciary Committee in September that the company's security practices left it vulnerable to "teenagers, thieves, and spies." He claimed that Twitter's leadership had "ignored its engineers," owing to "executive incentives that led them to prioritize profit over security."

While rare, security breaches have resulted in personal liability for company executives. Former Uber security chief Joe Sullivan was found guilty in federal court in San Francisco of conspiracy to conceal the details of a 2016 hack. Part of the charges against Sullivan stemmed from the fact that Uber is subject to an FTC order and must disclose breaches.