Just two weeks after Elon Musk took over Twitter, the company may already be in breach of a settlement agreement with the Federal Trade Commission, legal experts said.
If proven, the breach could ultimately lead to significant personal liability for Musk, adding to the risks he faces as he stumbles through business and content moderation headaches, most of which are self-inflicted.
The potential breach stems from Twitter’s reporting obligation when the company faces a structural change, including mergers and sales.
Under Twitter’s latest FTC consent order, which took effect this year, Twitter must file a sworn compliance notice with the regulator within 14 days of any such change. According to David Vladeck, a former FTC official and Georgetown University law professor, the compliance notice is intended both to inform the FTC of major changes at the company and to provide a commitment that it will continue to comply with the order.
Musk’s Twitter deal closed on Thursday, Oct. 27, prompting some legal experts to question Thursday whether Twitter had filed the necessary documents amid the company’s massive layoffs and exodus of top executives. The resignations include the company’s chief privacy officer and the company’s chief information security officer, who is expected to be involved in the company’s compliance report.
Riana Pfefferkorn, a research scientist at the Stanford Internet Observatory, tweeted: “Bless the poor guys who did it.”
The FTC declined to comment on whether Twitter filed any compliance notices after Musk took over the company. Twitter, which has laid off a significant portion of its public relations team, did not immediately respond to a request for comment.
Musk’s lawyer, Alex Spiro, told CNN on Thursday that “we are in an ongoing dialogue with the FTC and will work closely with the agency to ensure our compliance.”
Other, more important regulatory obligations are also being questioned. These include requirements that Twitter prepare a written privacy assessment for any new “product, service or experience” — or when Twitter updates those things — that could affect or put user data at risk.
The dizzying pace of product changes at Twitter since Musk’s takeover, coupled with the company’s greatly reduced headcount, have raised doubts about whether Twitter is following the rules it agreed to — or even can.
“The chaos there is something the FTC will be concerned about,” Vladek said, “because there were serious deficiencies that led to the consent order in the first place, and the FTC wants to make sure they did what they were supposed to do.”
Internal concerns about Twitter’s compliance obligations were reflected in a Slack message viewed by CNN earlier this week, in which an employee warned colleagues that Musk might try to shift responsibility for confirming FTC compliance to individual engineers at the company.
“This will place enormous personal, professional and legal risks on the engineers,” the employee said, adding that the new risks posed by Musk “could be extremely damaging to Twitter’s longevity as a platform.”
Georgetown University computer science and law professor Matt Blaze urged Twitter employees to seek professional legal counsel before “signing anything or making any disclosures to regulators.”
“This is one bus you DO NOT want to jump under,” Blaze tweeted.
The FTC’s consent orders have the force of law and can result in significant penalties if any violations are proven, including fines, restrictions on how Twitter can conduct its business, and even potential sanctions against individual executives.
The company’s latest settlement agreement was announced this spring following FTC allegations that Twitter misused user account security information, such as phone numbers and email addresses, for advertising purposes. The resulting consent order expanded upon a consent agreement Twitter signed with the FTC in 2011, committing the company to maintaining a robust cybersecurity program.
This summer, Twitter’s former head of security Peiter “Mudge” Zatko alleged that Twitter had failed to meet those obligations in an explosive whistleblower statement first reported by CNN and The Washington Post. (Twitter has previously retracted Zatko’s claims, saying security and privacy have “long been a priority across the company.”)
Those allegations, which predate Musk’s ownership, have already put Twitter on the hook for billions of dollars in potential FTC fines, legal experts said.
Now, the latest allegations of Twitter breaches could mean more money is at stake, as well as possible personal liability for Musk himself. Any alleged violations must first be proven and the FTC must decide whether to enforce them, Vladek said. But under these conditions, he said, “I think Musk will be mentioned” in the future consent order. “After all, he made it clear that he and he alone make the main decisions.”
The FTC has increasingly signaled that it may seek to hold individual executives personally liable if they are found to be responsible for company violations, be named in future orders, and impose binding requirements on their future conduct even if they leave the company. (Last month, the FTC showed it was willing to follow through by imposing sanctions on the CEO of alcohol delivery service Drizly.)
Foreshadowing such a move, FTC Chairwoman Lina Khan told US lawmakers that former Twitter CEO Parag Agrawal could “absolutely” be held personally liable if Zatko’s allegations are proven true. The FTC has not confirmed whether it is investigating Zatko’s allegations, but issued a rare statement Thursday that the agency is closely monitoring the situation. As news of the executives’ resignations spread, the agency said it was “following the recent developments on Twitter with deep concern.”
“No CEO or company is above the law, and companies must comply with our consent decrees,” the FTC said. “Our revised consent order gives us new tools to ensure compliance, and we’re ready to use them.”