The Security—And Legal—Headaches With Retail Twitter Accounts Just Got Worse, Thanks To The SEC

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today is a lawyer in Bethesda, Md., specializing in privacy and security law.

The United States Securities and Exchange Commission (SEC) has approved a final rule allowing publicly traded companies to disclose "material nonpublic information" to the public through social media. In other words, if you have something you want to say to the public, instead of releasing a press release or putting it on your webpage, now you can comply with SEC rules by simply sending a tweet. But, as the Associated Press learned when its Twitter feed was hijacked, it's not entirely clear when you send a tweet that it's actually you who sent that tweet.

Companies spend a great deal of money to manage their social media presence. They hire consultants and experts to craft a message that they will be putting out on Twitter. They monitor these networks for disgruntled customers and respond when customers mention their names.

However, because of the inherent insecurity of social networks, companies need to do more to ensure that their Twitter feeds, Facebook pages and other social networking sites are secure. Otherwise, like the Associated Press learned, social networking can be decidedly antisocial.

The problem here is not with the security of the company. It is likely that the company's overall security was not compromised. Rather, what was compromised was the link between the company and its Twitter account.

Different companies manage their social media networks differently; some have a dedicated team that is responsible for posting things to social media. Others allow a group of individuals within the company to post messages. Others have no social network policy at all, allowing anyone within the company to post to social networks either on their personal accounts or on the company account. Still others use third-party companies to post tweets on their behalf.

Whatever the social media policy is, it should be secure. Anything posted on your company's account should actually be coming from you, which means of course you need to be monitoring and securing the connection.

This is particularly true now that the SEC is allowing companies to use social media for Portland corporate disclosures. If an unauthorized third party were to get access to your Twitter account, they could post fake earnings, fake results or even a news item indicating that the CEO had died, was sick, had been kidnapped, or whatever. Even if this causes only a momentary glitch in the stock price, we can be used for market manipulation or to help undermine consumer confidence in the stock. Similarly, rumors about products, sales, earnings, recalls, mergers, acquisitions or other information could be posted on the hacked Twitter feed. Thus, it's critically important that companies not only monitor their own Twitter accounts continuously but also secure them.

But that is easier said than done. Access to most Twitter accounts or Facebook pages is accomplished only through a user ID and password. Although companies may speak with only one voice, many people may have access to that voice. This is done either by sharing the Twitter or Facebook credentials, or by using some other application to process the social networking posts into the Twitter or Facebook feed. If someone can hack these credentials, they can essentially become you.

A better approach is to require some form of multifactor authentication in order to access the Twitter account. Even if Twitter doesn't currently support multifactor authentication, the company could set up a system whereby the individuals with the appropriate credentials to access the account must use multifactor authentication to do so. Any security assessment and privacy assessment of the company should include assessment of the security and privacy of access to social media.

The SEC guidance is related to the insider trading rules. In general, a corporate insider with access to material nonpublic information is not permitted to trade on that information unless and until that information becomes public. By allowing the use of social media to make that information public, corporate insider could post a tweet "disclosing" the material nonpublic information, and then shortly thereafter trade on the basis of that information – something they would have been prohibited from doing moments earlier. As a result, markets react immediately to information posted on social networking sites, often without validating the authenticity of the information. In fact, for computerized traders, is frequently more important to be fast than to be right.

All of this means that companies need not only to secure their social media sites but also to monitor them continuously as well. The Associated Press had the fake Twitter feed shut down within minutes, which is pretty good but not quite fast enough. Remember, those who live by social media often die by it as well. Keeping leasing secure takes a good deal of planning some knowledge of a lot of hard work. But in the end, it may be worth it. As long as you can explain your earnings in 140 characters.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.