Here are a few points to consider if you use Twitter for any business function, like customer engagement or branding:
- At what point do issues such as the exodus of key security leadership roles become an intolerable supply chain risk (legal or cyber) to your organisation?
- What are the likely impacts to you if Twitter experiences a breach?
- What other harm (reputational, financial) could be caused by your continued use?
- Who will be liable – you, or Twitter?
How is the risk profile changing?
Much has been said about the psychological safety of using Twitter, both before the current collapse of the moderation and ethics controls as well as after. The culture of the company has always leaned precariously over the chasm of risk while straining to reach the high fruits of market saturation and monetisation, with a culture that has seemed to become more tolerant of potential and actual harm to its users over time.
With the desertion (or expulsion) of key security teams in the last fortnight, the real concern is that the counterweights balancing risk against value will no longer be heavy enough to protect the user base. These teams were actively working to quash scammers, squash bugs, and monitor the threat environment. Even if the security controls all stay up, the bad actors have smelled the blood in the water and are all swarming. Eventually, one will get their teeth in. As controls decay, even unsophisticated bad guys may find chinks in the armour.
What is the likely harm?
There is a risk here to individuals, who may have sensitive information in private messages compromised. That includes your own staff, who may be at increasing risk of being targeted, doxxed, or harassed.
And use of Twitter is also risky for corporations, whose communications on the platform may be deemed ‘records of business’. There have already been significant fines imposed from regulators for allowing staff to use messaging apps – and that’s just from a records compliance angle. Citigroup, Morgan Stanley, Barclays, Bank of America, and JP Morgan have all been sanctioned for not properly managing records of what happens outside the corporate network on these platforms.
The fines to date have been about records preservation and availability. If we don’t capture Twitter records, important business decisions and evidence of activities can be lost forever, or at least kept out of reach of auditors.
What will happen when those communications are breached? When there is a confidentiality impact, as well as an availability one? There are various mechanisms for regulators to fine the organisations using the platform, not just the owners of the platform themselves. Under EU-GDPR and the Data Protection Act 2018, the entity determining the purposes for, and the manner in which personal data is processed, is called the Controller. That’s going to be your organisation, not the cloud provider (Twitter or otherwise).
Summing up
Despite the fraying security environment at Twitter, it’s still likely to be your organisation (and even individuals in your organisation) who are going to be liable for a breach, if you choose to capture personal information in your DMs.
For now, corporations should follow the SEC and CFTC’s advice, and stop doing business on Twitter. Not just to avoid a fine, but to avoid the reputational damage of a major data spill.
A form of this article by Rachael Greaves was originally published by Computer Weekly