Hacker News new | ask | show | jobs
by nradov 1407 days ago
Wrong. Under US federal law, Twitter has no legal obligation to protect PII. Internal controls for user data are optional.

https://pro.bloomberglaw.com/brief/data-privacy-laws-in-the-...

To be clear, I am not thrilled with this situation. But even if social networks were legally required to protect PII they would still suffer occasional breaches by advanced persistent threats and state intelligence agencies. Don't post anything important on social media. Just pictures of family vacations and such.
2 comments
weard_beard 1407 days ago
While you may be correct about criminal law, I'm certain this would impact their SOX compliance (https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act) and would put their ability to participate and operate in US securities markets in serious jeopardy.
link
nradov 1407 days ago
Wrong again. That law only covers financial controls. It doesn't address user data.
link
weard_beard 1406 days ago
SOX compliance has expanded in recent years to cover a gamut of Cybersecurity process and policy. Go look it up. I recently compiled all the documentation necessary for a client I am serving in order to pass. It includes handling of PII, access controls for code repositories and production environments, and tools for ensuring code quality like performing static analysis and mitigating DDOS attacks such as a decent WAF.
link
nradov 1406 days ago
Yes I have looked it up and you obviously have no clue what you're talking about. The law is the law, and regardless of what nonsense some random corporate trainer might have fed you, SOX compliance requirements haven't expanded in recent years. Go read the actual law instead of spreading misinformation.

Some businesses do require their partners to have additional controls on PII handling. But that's purely a business issue and has no relationship to SOX.

link
weard_beard 1406 days ago
This is in the medical and recreational marijuana space which may have additional Reqs, but I am telling you exactly what the auditors themselves are asking for. I'm not talking out of my ass here.
link
nradov 1406 days ago
You're talking out of your ass here. Your auditors may be checking various things for a variety of unrelated reasons, but it has nothing to do with SOX.

Read the law. Seriously, it's posted online. You can just go look.

link
MichaelZuo 1407 days ago
Has an SOX compliance case regarding personal information ever been tried in court?
link
weard_beard 1406 days ago
I don't know. I'm a techie assisting w/ audit not finance/legal.
link
m00x 1405 days ago
Wrong and small minded.

Twitter is an international company with international users, and the law protects the users of that country/legislation.

Under GDPR, and other international laws, PII is legally protected.

Even if you're an American company, you can't disregard laws of other countries if they're going to be using your product.

link