Musk would be remiss not to take his potential liability seriously.
Elon Musk’s latest move as new owner and CEO of Twitter came in the form of an email sent early Wednesday morning, in which Musk advised employees that they will need to be “extremely hardcore” to meet his performance requirements, which will entail “working long hours at high intensity” to bring his vision of “Twitter 2.0” to life. If employees do not agree to the email’s terms “to be part of the new Twitter” by Thursday at 5 p.m., they will be let go.
Considering its FTC obligations, the exodus of Twitter’s privacy and security officers isn’t surprising.
The news adds even more fodder to the narrative we’ve seen unfold in the weeks since Musk took over Twitter, during which the platform has descended into what’s now being described as the “Wild West” of social media.
Musk has, in short order, fired roughly half of the company’s employees (including engineers who made posts that were critical of him), alienated advertisers and launched (and quickly suspended) a subscription service which resulted in the proliferation of “verified” imposter accounts across the platform.
The Wild West analogy feels accurate, given that social media remains largely unregulated. Now, many of its sheriffs have been riding off into the sunset: Last Thursday, Twitter’s chief privacy officer, chief information security officer and chief compliance officer all resigned, followed by the departure of Twitter’s head of security and safety.
But there is still one sheriff in town who has the potential to rein in Musk by creating a lot of legal problems, particularly if he continues down the erratic path he is currently on: the Federal Trade Commission.
The FTC, which operates under a broad administrative mandate to protect and educate consumers, has filled the regulatory gap for social media companies, particularly when it comes to data privacy. In 2019, for example, the FTC fined Facebook $5 billion — the largest civil penalty ever imposed on a company for violating consumers’ privacy — for its misleading user agreement about how their data would be shared with third parties. In 2020, the agency issued orders to nine social media and video streaming companies requiring them to provide information on their data collection and advertising practices, including how their practices affect children and teens.
For background, Twitter was fined $150 million last spring for violating a 2011 consent decree with the FTC regarding the security of its user data. The platform violated that agreement by illegally using data that consumers provided the company to secure their accounts to create targeted ads to generate profit for the company. In addition to the fine, the FTC modified the consent decree to require Twitter to meet additional (and onerous) programmatic, reporting and compliance requirements regarding its products. Among these requirements were the creation of a “comprehensive privacy and security program” overseen by a designated senior officer, a comprehensive written report within 30 days on the privacy risks and safeguards (backed up by testing) for each “new or modified product, practice or service” rolled out by the company, and an annual certification of compliance issued by a senior corporate manager. Twitter must also submit a compliance notice to the FTC within 14 days of any changes to the structure of the company or points of contact regarding compliance. This consent decree was in effect when Musk took over the company last month.
(NB: The consent decree with the FTC should not be confused with a completely separate consent decree Musk entered with the Securities and Exchange Commission in 2018 after tweeting false information about Tesla that impacted that company’s stock prices. Musk was personally fined $20 million and appointed a “Twitter sitter” who would review his future tweets to ensure that they did not run afoul of SEC regulations.)
Considering its FTC obligations, the exodus of Twitter’s privacy and security officers isn’t surprising. The Washington Post reported that Musk’s hastily rolled out Twitter Blue subscription service, which allowed users to purchase a blue check for a fee, did not follow its internal risk evaluation process because the team that was responsible for doing so was — you guessed it — laid off.
The new product resulted in hundreds of users impersonating verified accounts, wreaking havoc on companies like Eli Lilly and Lockheed Martin and even prompting Sen. Ed Markey — who was impersonated by a Washington Post reporter testing out the subscription’s vulnerabilities — to send Musk a letter, demanding answers.
Ultimately, the buck on the safety and compliance of Musk’s new brainchild would fall on his senior corporate officers, who most likely concluded that signing off on privacy reviews without conducting full due diligence could bring them personally into the FTC’s crosshairs.
So who’s doing the reviews in their absence? That’s unclear. Reportedly, Twitter’s engineers are being asked to “self-certify” products they are creating. Given that each privacy review has 14 different components, many of which are more legal than technical in nature, it’s hard to see how a rank-and-file engineer would be in a position to adequately certify Twitter’s products. In fact, one former member of Twitter’s legal department sent a letter to current employees warning them that this burden shifting will “put a huge amount of personal, professional, and legal risk onto engineers.”
Musk’s personal lawyer reportedly stated that Musk was “willing to take on huge amounts of risk” and “isn’t afraid of the FTC.” But he should be.
An enforcement action by the FTC could create a vicious downward spiral for Musk.
For one thing, the FTC has the upper hand when it comes to enforcement in the current arrangement. After all, the agency doesn’t need to launch a lengthy new investigation into Twitter at this point; it simply needs to bring a court action alleging that the company is (again) in violation of the consent decree’s terms, which it can do fairly quickly.
Second, an enforcement action by the FTC could create a vicious downward spiral for Musk. Apart from any fines the company might incur, the FTC could further modify the consent decree to add even more safety, compliance and reporting requirements than it has now. That, of course, would create more pressure on his current skeleton crew, potentially prompting more departures — all at the same time that he would need to increase his staffing to stay in compliance with the law and keep the company afloat.
Finally, Musk would be remiss not to take his potential personal liability seriously. In 2017, the FTC referred the chief security information officer of Uber to the Justice Department for obstructing its investigation into a data breach at that company. He was found guilty last month. The case demonstrates that although the FTC’s enforcement authority might be limited to civil penalties, it is willing to bring in criminal law enforcement partners if the circumstances so warrant.
Indeed, the FTC has noted that it is tracking the changes at Twitter “with deep concern,” and that “no CEO is above the law.” It may be the Wild West, but Musk may soon learn that when you choose to fight the law, the law almost always wins.