After losing thousands of employees and top compliance officials at Twitter, Elon Musk’s deputies are racing to contain heightened concerns that staff will be held liable for security lapses.
Musk’s lawyer Alex Spiro, who is guiding the legal team following the billionaire’s acquisition, sought to reassure employees that they would not go to jail if the company is found in violation of a Federal Trade Commission consent decree, according to a message viewed by Bloomberg.
“I understand that there have been employees at Twitter who do not even work on the FTC matter commenting that they could go to jail if we were not in compliance — that is simply not how this works,” the Quinn Emanuel Urquhart & Sullivan LLP lawyer wrote in a memo, earlier reported by Insider. “It is the company’s obligation. It is the company’s burden. It is the company’s liability.”
An information security team at Twitter that oversaw sharing of user data with advertisers and research partners was laid off after the takeover, a move that triggered internal concerns about vulnerability to security threats and potential violations of FTC rules, according to two people familiar with the matter.
The layoffs, which started November 3 and affected 50% of all Twitter employees, have contributed to a chaotic atmosphere within the company and were followed this week by the resignations of senior executives, including Chief Information Security Officer Lea Kissner, Chief Privacy Officer Damien Kieran and Chief Compliance Officer Marianne Fogarty.
Spiro said Twitter had spoken to the FTC and has its first compliance check upcoming. “The legal department is handling it,” he said in his note.
The move to scrap the six-person information security team was combined with layoffs of at least a dozen other employees working on security, privacy and compliance issues at the company, the people said. The full size of those teams wasn’t immediately available.
The layoffs and departures are particularly noteworthy at a company that is under an FTC consent decree in which it agreed to better protect users’ personal data and also has to submit to regular audits of its privacy and data security systems. Twitter has been sharply criticized by former employees for security lapses, and in May was subject to a $130 million fine as part of a settlement with the FTC and Department of Justice over data privacy.
The information security team was focused on third-party risk management and was responsible for providing security assurances to advertisers that work with Twitter and share data with the company, according to the two people familiar with the matter, who spoke on condition of anonymity as they aren’t authorized to discuss the situation publicly.
The team also monitored Twitter’s sharing of user data with dozens of commercial partners and research organizations, some of whom have access to a programming interface that can be used to view sensitive non-public information about Twitter users, such as location data, IP addresses and unique device identification codes, the people said.
“The people at Twitter doing the checks on that access are simply not there anymore,” one of the people said, adding that the privacy and security of user data has been put at risk as a result.
The work carried out by the laid off information security team was partly intended to ensure compliance with a consent decree issued by the FTC in March 2011, according to the people. The decree, effective until 2042, ordered that Twitter must establish and maintain “a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of non-public consumer information.” Violations of the decree can result in large fines.
On Thursday, a leader on Twitter’s legal team circulated an internal note that warned employees the company would, going forward, ask engineers to self-certify compliance with FTC requirements, according to a memo viewed by Bloomberg.
“This will put huge amount of personal, professional and legal risk onto engineers,” wrote the unnamed member of the legal team. “I anticipate that all of you will be pressured by management into pushing out changes that will likely lead to major incidents.”
In a statement, the FTC wrote it was tracking recent developments at Twitter with “deep concern.” The agency added that no CEO or company is “above the law,” and companies must follow consent decrees.
Twitter’s cybersecurity policies have previously faced criticism after high-profile data breaches. In 2014 and 2015, Saudi Arabia recruited spies inside the company and used them to obtain information on dissidents operating on the platform anonymously, according to U.S. prosecutors. In 2020, a teenager from Florida was charged for compromising the accounts of prominent people, including Musk and US President Joe Biden, and using them to promote a cryptocurrency scam.
In September, Peiter Zatko, Twitter’s former head of security who is known as “Mudge,” told the Senate Judiciary Committee that the company had poor security practices, which made it vulnerable to “teenagers, thieves and spies.” He said that Twitter’s leadership had “ignored its engineers” in part because “their executive incentives led them to prioritize profit over security.”
While rare, there have been instances of personal liability for executives at companies from security breaches. Former Uber security head Joe Sullivan was found guilty in San Francisco federal court in a case that stemmed from a 2016 hack — details of which he tried to keep hidden. Part of the charges against Sullivan related to the fact that Uber is under an order with the FTC and required to disclose breaches.
Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.