5 Compliance Lessons from the Explosive Twitter Meltdown
The explosive complaint filed with the SEC, DOJ, and FTC about security meltdowns at Twitter have all the best compliance problems: a fired whistleblower, lies to the board of directors, misaligned management incentives…even an agent of a foreign government being on the payroll with access to information on dissidents.
Whew! As Zatko is slated to speak in front of Congress on Tuesday, it’s worth looking at his story for compliance lessons.
A couple of weeks ago, the Washington Post and CNN obtained copies of the complaint filed by Twitter’s former head of security, Peiter Zatko. Mr. Zatko was an admired hacker known as “Mudge” who had been hired by Jack Dorsey, the previous CEO at Twitter, to help find vulnerabilities and evaluate security. When Dorsey left, Zatko was fired. According to the complaint, Zatko was fired because he repeatedly sounded the alarm about terrible security practices and was met with a total unwillingness to solve the problems. After that, he became a whistleblower.
Twitter has disputed the allegations raised by Zatko, but regardless of the ultimate outcome of the investigation, the complaint itself and surrounding communications have important lessons for compliance professionals. We can always use a good scandal to remind our leaders and the board about what not to do.
Here are the top five lessons from the Twitter uproar.
No.1: The Board Needs the Truth to Dig for the Truth
When a disaster like this one strikes, the first question is where was the board in this?
According to the complaint – nowhere – because no one told them. The Washington Post reported that “executives withheld dire facts about the number of breaches and lack of protection for user data, instead presenting directors with rosy charts measuring unimportant changes.”
Board oversight is critical to ensure a company is doing the right thing. It can be scary for compliance, finance, or anyone else to report bad outcomes, but it is necessary. The cliché “don’t shoot the messenger” is a cliché for a reason. People often blame the person delivering the bad news for the existence of the news.
Board members need to create a culture where bad news is accepted and responded to appropriately. Likewise, we in compliance can’t be afraid to tell the truth about what is happening, especially when things go wrong.
Action:
Create relationships with individual board members. Work to cultivate trust. Push to have non-executive sessions as part of the board meetings where the in-house executives leave the room, and the compliance officer is alone with the non-executive directors. Make sure there is an opportunity to work directly with board members so that bad compliance news isn’t just buried.
No. 2: Watch the Outcome of Whistleblowers
Some of Zatko’s allegations are shocking.
Twitter holds vast amounts of sensitive personal data about its users, including personal phone numbers and email addresses of celebrities, political operatives, and heads of state. Dissidents communicate over the site at grave personal risk. But despite this, Zatko alleges that Twitter didn’t log which engineers visited which profiles, nor did it have appropriate controls to protect this kind of sensitive personal information from curious people working at the company.
This has led to bad outcomes.
This month, an ex-Twitter employee was convicted of using his position at the company to spy on Saudi government critics and dissidents in exchange for cash and gifts furnished by a close aid of Crown Prince Mohammed bin Salman.
Zatko’s complaint alleges that Twitter was forced to employ an agent of the Indian government with access to user data at a time of intense protests within the country.
A whistleblower providing this kind of information internally can be a great gift for the company so it can properly investigate and manage the situation without it becoming public or creating continuing threats.
Action:
Put together a protocol for following up with whistleblowers. It’s important to remember that whistleblowers make a company better and more secure when they expose problems. A protocol for follow-up can make the company stronger.
This can include:
Checking in regularly with whistleblowers to update them on the status of the investigation and its outcome.
Following up with them one month, three months, six months, and twelve months after their initial report, then at least annually to ensure they aren’t subject to retaliation.
Obtaining copies of the whistleblower’s annual performance evaluation each year after the report to ensure it accurately reflects performance. If performance drops off dramatically, investigate to validate that there isn’t bias or retaliation driving the outcome.
No. 3: Avoid Making Reactive Policies
There is an old adage that “hard cases make bad law.” This is a criticism of the US and UK common law judicial system, where broadly based rules often come out of a court decision with a single set of facts. The outcome may be right for the circumstance at hand but extrapolating that ruling to cover all similar fact patterns may create poor outcomes.
The same is true when policies and procedures are created retrospectively to account for mistakes. The Zatko complaint states that at Twitter, “policies are often written in response to external events, or ‘fires’ rather than being informed by analysis of the current or emerging threats for the platform.” It also states that “reactive policies and procedures have driven Twitter to act in a constant state of crisis.”
Action:
Use the risk assessment to create a list of policies and procedures that need to be put into place or updated to deal with risks facing the company and its vulnerabilities. Whenever possible, proactively determine which policies or procedures are necessary to aid the company in risk mitigation.
When a policy or procedure needs to be created or updated in response to a crisis, evaluate how the changed policy would operate in a wide variety of circumstances. There is a danger of over or under-reacting during a crisis. Think holistically about the risk environment when revising policies and procedures, not solely in response to what just happened.
No. 4: Review Misaligned Incentives
Zatko alleges that financial incentives were misaligned with good security and investment in data protection. The Post notes that, “Executives stood to win individual bonuses of as much as $10 million tied to increases in daily users…and nothing explicitly for cutting spam.” This misalignment meant that executives would focus their attention on growing the user base, even if that meant ignoring that bots were a major source of growth that ultimately worsened the legitimate user experience.
Action:
Work with senior leadership to get a seat at the table when it comes to bonus programs and sales incentives. Create exercises where the senior leaders think through what could happen if the incentives are misaligned with the overall goals of the company.
Sales incentives that become destructive to an ethical culture don’t serve anyone.
No. 5: Stop the Silos
The complaint alleges that one of the reasons that the security issues were so great is because “organizational siloing” contributed strongly to a culture in which “Twitter [was] consistently behind the curve in actioning against disinformation and misinformation threats.”
Silos stop information from reaching the people who need to work together to address risk.
Action:
Set up cross-functional working groups to tackle difficult compliance-related issues like modern slavery prevention and data privacy. Ensure that audit findings and reports are visible to those who need to see them. Create opportunities for cross-collaboration whenever possible. Make friends with those leading other functions and business units so communication is easier.
If proven true, the Zatko’s complaint details some dire issues and problems for Twitter. As he wrote in his complaint, “Ultimately, these gaps mean that though Twitter is a global company with a global mission, it is not currently set up to deliver globally on trust and safety.” Every company is at risk of failing in its mission if the board isn’t getting good information, whistleblowers are mistreated, policies are drafted retroactively, sales incentives are misaligned, and silos dominate the culture.
Taking the opportunity to learn from others’ mistakes is a gift. Let’s not miss this chance.
