[nradov]

Not to defend the incompetent jerks who run Twitter or anything, but only a complete idiot would have ever trusted them with private or damaging information (including metadata such as locations). Twitter never made any reliable, verifiable guarantees about security or internal controls.

[TaylorAlexander]

What I have found, as a technical person, is that things like metadata which are obvious to me may be unknown to most regular people. A person can be very smart and yet not know about how computers work, or how silicon valley works.

[m00x]

It's not a matter of Twitter giving guarantees about optional data. This is PII, which has to be protected legally.

Internal controls at a company of the size of Twitter is no longer optional. You don't have to intend malice to be guilty of negligence.

Equifax never gave guarantees of security and data safety either, but it's understood that they should be responsible.

[nradov]

Wrong. Under US federal law, Twitter has no legal obligation to protect PII. Internal controls for user data are optional.

https://pro.bloomberglaw.com/brief/data-privacy-laws-in-the-...

To be clear, I am not thrilled with this situation. But even if social networks were legally required to protect PII they would still suffer occasional breaches by advanced persistent threats and state intelligence agencies. Don't post anything important on social media. Just pictures of family vacations and such.

[weard_beard]

While you may be correct about criminal law, I'm certain this would impact their SOX compliance (https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act) and would put their ability to participate and operate in US securities markets in serious jeopardy.

[nradov]

Wrong again. That law only covers financial controls. It doesn't address user data.

[weard_beard]

SOX compliance has expanded in recent years to cover a gamut of Cybersecurity process and policy. Go look it up. I recently compiled all the documentation necessary for a client I am serving in order to pass. It includes handling of PII, access controls for code repositories and production environments, and tools for ensuring code quality like performing static analysis and mitigating DDOS attacks such as a decent WAF.

[nradov]

Yes I have looked it up and you obviously have no clue what you're talking about. The law is the law, and regardless of what nonsense some random corporate trainer might have fed you, SOX compliance requirements haven't expanded in recent years. Go read the actual law instead of spreading misinformation.

Some businesses do require their partners to have additional controls on PII handling. But that's purely a business issue and has no relationship to SOX.

[MichaelZuo]

Has an SOX compliance case regarding personal information ever been tried in court?

[weard_beard]

I don't know. I'm a techie assisting w/ audit not finance/legal.

[m00x]

Wrong and small minded.

Twitter is an international company with international users, and the law protects the users of that country/legislation.

Under GDPR, and other international laws, PII is legally protected.

Even if you're an American company, you can't disregard laws of other countries if they're going to be using your product.