Musk’s bizarre acquisition of Twitter has resulted in a series of eclectic lawsuits and investigations.

Sounding the alarms–Dark money and Cybersecurity

In his testimony before Congress on September 13, 2022, Peiter Zatco said, “Twitter’s security failures threaten national security, compromise the privacy and security of users, and … the Company.” Zatco, a data security expert, joined Twitter as “Security Lead” after a Florida teenager hacked the accounts of high-profile celebrities in 2020. Following his departure from the company, Zatco filed a federal whistleblower complaint detailing the platform’s vulnerability and the reckless mismanagement of the company. The disclosure—surely to be adapted into a screenplay—includes allegations of foreign infiltration, systemic cover-ups, and cybersecurity negligence.

In August 2022, a former Twitter manager was convicted of acting as a secret agent for Saudi Arabia. Certain account information—phone number, IP address, and birthdate—of Twitter users critical of Saudi Arabia, were sold to Saudi Arabia. This should come as no surprise considering that Kingdom Holding Company, a Saudi conglomerate, is the second largest investor in Twitter. Let that sink in. According to Zatco’s complaint, Twitter was aware that other foreign state actors were collecting and selling data, and that executives failed to implement policies limiting and tracking employee access to user data. While the internal cybersecurity nightmares continued, Twitter maintained the façade of security compliance with the Federal Trade Commission (FTC) and its Shareholders.

Cybersecurity Securities Class Action

Soon after Zatco’s testimony before Congress, a securities class action lawsuit was lodged against Twitter. William Baker v. Twitter, Inc. Et Al, was filed in the Central District of California on behalf of Twitter investors who purchased or traded the company’s securities between August 3, 2020, and August 23, 2022.

The complaint alleges that the Defendants made a materially false statement and mislead shareholders by failing to disclose that: (1) Twitter knew about security concerns on their platform; (2) Twitter actively worked to hide the security concerns from the board, the investing public, and regulators; (3) contrary to representations in SEC filings, Twitter did not take steps to improve security, and (4) Twitter’s active refusal to address security issues increased the risk of loss of public goodwill. To substantiate the loss of public goodwill, the complaint pointed to Twitter shares falling over 7% upon the publication of Zatco’s disclosure.

While it may be years before the Plaintiff moves to certify the class, a swift settlement would alleviate Twitter’s limited resources and reduce the overall cost of litigation. Musk’s crude decision to deplete Twitter’s legal department leaves the company ill-equipped to defend itself against the surge of lawsuits and investigations it faces.

“No CEO or company is above the law”

In 2011, Twitter entered into a consent decree with the Federal Trade Commission (FTC) after an investigation revealed that Twitter profited by dispersing its users’ security data to advertisers. Twitter was required to establish and maintain a comprehensive security program and was barred from misleading the public about protocols the company put in effect to prevent unauthorized access to its users’ private information. After years of violating the agreement, in May 2022, the company was ordered to pay $150 million in civil penalties and was required to expand its cybersecurity measures.

The 2022 consent decree significantly limits Twitter’s ability to make major changes to the company. Under the new agreement, Twitter must notify the FTC before launching any new product or service that records users’ data. This might have required the company to disclose its new monthly subscription plan—an $8 verification badge that facilitates users to create verified parody accounts.

Twitter must also routinely test its cybersecurity safeguards and report annual compliance certifications to the FTC from a senior officer, in addition to other obligations. Following Musk’s takeover in late October, roughly 3,700 Twitter employees have been laid off including its deputy general counsel, Jim Baker.

Meanwhile, executives crucial to maintaining FTC compliance have made a swift exit including Twitter’s Head of Trust and Safety Yoel Roth, as well as the Chief Information Security Officer Lea Kissner, and Chief Privacy Officer Damien Kieran.

In response to the chaos that has ensued since Musk’s takeover, Lina Kahn, FTC Chair, issued a statement noting that the FTC is “tracking recent developments at Twitter with deep concern. No CEO or company is above the law, and companies must follow our consent decrees.”