If proven, a violation could ultimately lead to significant personal liability for Musk, escalating the risks he faces as he stumbles through a morass of business and content moderation headaches, most of which have been self-inflicted.
The potential violation stems from a reporting obligation Twitter must fulfill whenever the company experiences a change in structure, including mergers and sales.
Under Twitter’s latest FTC consent order, which was implemented this year, Twitter must submit a sworn compliance notice to the regulator within 14 days of any such change. The compliance notice is intended both to advise the FTC of major changes at the company as well as a commitment that it will continue to comply with the order, according to David Vladeck, a former senior FTC official and a law professor at Georgetown University.
Musk’s Twitter deal closed on Thursday, Oct. 27, prompting some legal experts to question Thursday whether Twitter had made the proper filings in light of the company’s mass layoffs and an exodus of senior executives. Among those resigning were its chief privacy officer and chief information security officer, who would be expected to be involved in the company’s compliance reporting.
“Godspeed to the poor b***ards dealing with that,” tweeted Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory.
The FTC declined to comment on whether Twitter has submitted any compliance notices since Musk took over the company. Twitter, which laid off a substantial amount of its public relations team, didn’t immediately respond to a request for comment.
Alex Spiro, Musk’s attorney, told CNN on Thursday that “we are in a continuing dialogue with the FTC and will work closely with the agency to ensure we are in compliance.”
There are other, more substantive regulatory obligations that have come into question, too. They include requirements that Twitter produce written privacy assessments of any new “product, service or practice” — or when Twitter updates those things — that could affect user data or put it at risk.
The dizzying pace of product changes at Twitter since Musk’s takeover, combined with the company’s greatly reduced headcount, have raised doubts about whether Twitter is following the rules it agreed to — or if it even can.
“The chaos there is something the FTC is going to be worried about,” said Vladeck, “because there were serious deficiencies which led to the consent order in the first place, and the FTC is going to want to make sure they’re doing what they’re supposed to do.”
Internal concerns about Twitter’s compliance obligations were reflected in a Slack message viewed by CNN earlier this week, in which an employee warned colleagues that Musk could try to put responsibility for certifying FTC compliance onto individual engineers at the company.
“This will put a huge amount of personal, professional and legal risk onto engineers,” the employee wrote, adding that the new risks created by Musk could be “extremely detrimental to Twitter’s longevity as a platform.”
Matt Blaze, a professor of computer science and law at Georgetown University, urged Twitter employees to seek professional legal counsel “before signing anything or making any statement to regulators.”
“This is a bus you do NOT want to be thrown under,” Blaze tweeted.
FTC consent orders carry the force of law and any violations, if proven, could involve significant penalties including fines, restrictions on how Twitter can run its business and even potential sanctions on individual executives.
The company’s latest consent agreement was announced this spring after FTC allegations that Twitter misused user account security information, such as phone numbers and email addresses, for advertising purposes. The resulting consent order expanded on a 2011 consent agreement Twitter signed with the FTC committing the company to maintaining a robust cybersecurity program.
This summer, Twitter’s former head of security, Peiter “Mudge” Zatko, claimed Twitter was not meeting those obligations in an explosive whistleblower disclosure first reported by CNN and The Washington Post. (Twitter has previously pushed back on Zatko’s allegations, saying that security and privacy have “long been top company-wide priorities.”)
Those claims, which predate Musk’s ownership, may already have put Twitter on the hook for billions of dollars in potential FTC fines, legal experts have said.
Now, the latest claims of Twitter’s violations could mean even more money is at stake, as well as possible individual liability for Musk himself. Any alleged violations would first have to be proven, and the FTC would need to decide whether to enforce, said Vladeck. But under those circumstances, he said, “I think it’s likely Musk would be named” in a future consent order. “After all, he has made clear that he and he alone is making key decisions.”
The FTC has increasingly signaled it could seek to hold individual executives personally accountable if they’re found to have been responsible for a company’s violations, naming them in future orders and imposing binding requirements on their future conduct, even if they leave the company. (Last month, the FTC showed its willingness to follow through, imposing sanctions on the CEO of alcohol delivery service Drizly.)
Foreshadowing such a move, FTC Chair Lina Khan told US lawmakers that Twitter’s former CEO Parag Agrawal could “absolutely” be held personally liable in connection with Zatko’s allegations, if they are proven accurate. The FTC has not confirmed whether it is investigating Zatko’s allegations, but on Thursday, it issued a rare statement saying the agency is watching the current situation closely. As news about the executive departures unfolded, the agency said it is “tracking recent developments at Twitter with deep concern.”
“No CEO or company is above the law, and companies must follow our consent decrees,” the FTC said. “Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”