Blowing the Whistle on Twitter

There has never been much doubt that the tech giants do not take government regulation seriously, but it is helpful to get confirmation of that from inside the corporations. This is the import of a whistleblower complaint from the former security head of Twitter that has just become public.

Peiter Zatko submitted a document to the SEC, the Justice Department and the Federal Trade Commission accusing top company executives of violating the terms of a 2011 settlement with the FTC concerning the failure to safeguard the personal information of users. The agency had alleged that “serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account.”

Zatko’s complaint, which will play into the company’s ongoing legal battle with Elon Musk over his aborted takeover bid, alleges that Twitter did not try very hard to comply with the FTC settlement and that it prioritized user growth over reducing the number of bogus accounts.

These accusations are far from surprising. In fact, three months ago Twitter agreed to pay $150 million to resolve a case brought by the FTC and the Justice Department alleging that it was in breach of the 2011 settlement for having told users it was collecting their telephone numbers and email addresses for account-security purposes while failing to disclose that it also intended to use that information to help companies send targeted advertisements to consumers.

Since Zatko was fired by Twitter in January, he is in no position to describe company behavior since the most recent settlement. It is difficult to believe that the $150 million fine will be sufficient to get Twitter to become serious about data protection.

Twitter is not the only tech company with a checkered history in this area. In 2012 Facebook and the FTC settled allegations that the company deceived consumers by telling them they could keep their information private and then repeatedly allowed it to be shared and made public. Facebook agreed to change its practices.

As with Twitter, it eventually became clear that Facebook was not completely living up to its obligations. The FTC brought a new action, and in 2019 the company had to pay a penalty of $5 billion for continuing to deceive users about their ability to control the privacy of their data. The settlement also put more responsibility on the company’s board to make sure that privacy protections are enforced, and it enhanced external oversight by an independent third-party monitor.

Zatko’s allegations may prompt the FTC to seek new penalties against Twitter that go beyond the relatively mild sanctions in the settlement from earlier this year.

The bigger question is whether regulators and lawmakers are willing to find new ways to rein in a group of mega-corporations. The effort in Congress to enact new tech industry antitrust measures seems to have fizzled out for now. Such initiatives need to be revived. We cannot let an industry that plays such a substantial role in modern life think it is above the law.

The Pill Mills of the Fortune 500

The downfall of Purdue Pharma illustrated the role played by drugmakers in the opioid crisis. Large settlements paid by the likes of McKesson and AmerisourceBergen highlighted the culpability of the major drug wholesalers. Now more attention is being paid to the other players in the corrupt supply chain: pharmacies.

The assumption used to be that the main retail culprits were small pharmacies in places such as West Virginia that readily filled far more oxycontin prescriptions than would be expected to arise from legitimate use in their communities. Those businesses, like the unscrupulous clinics that wrote the prescriptions, are often called pill mills.

A decision just handed down by a federal court in San Francisco indicates that our understanding of that phrase needs to be revised. Following a bench trial, U.S. District Judge Charles Breyer ruled that the giant pharmacy chain Walgreens improperly dispensed hundreds of thousands of suspicious prescriptions for narcotic painkillers in the Bay Area over more than a decade.

“In exchange for the privilege of distributing and dispensing prescription opioids,” Judge Breyer wrote, “Walgreens has regulatory obligations to take reasonable steps to prevent the drugs from being diverted and harming the public. The evidence at trial established that Walgreens breached these obligations.”

Those regulatory obligations come from the Controlled Substances Act (CSA), a federal law which regulates the distribution of drugs ranging from Xanax to fentanyl. As shown in Violation Tracker, the U.S. Justice Department and the Drug Enforcement Administration have brought about two dozen successful CSA actions against large pharmacy chains, including those operated by the big supermarket companies.

In 2013 Walgreens had to pay $80 million to resolve a DEA case involving what the agency called “an unprecedented number of record-keeping and dispensing violations.” CVS, another pharmacy goliath, has paid out over $130 million in a dozen CSA cases.

These amounts are likely to be dwarfed by the damages against Walgreens in the San Francisco case, which have yet to be determined. Walgreens and CVS, along with Walmart, are also embroiled in an opioid test case brought by two counties in Ohio. The plaintiffs are seeking a payout of several billion dollars to help pay for addiction services.

If those Ohio counties are successful, it would give a green light to several thousand other cases that have been filed around the country and are being treated as a multidistrict action. On top of that, Walgreens, CVS and Walmart are facing a slew of opioid cases brought by the Cherokee Nation and other tribes.

It is unlikely that Walgreens or CVS will suffer the same fate as Purdue Pharma, which had to file for bankruptcy and agree to turn itself into a public benefit company while its owners, the Sackler Family, had to promise to pay out billions. CVS, which generated nearly $8 billion in profits last year, is particularly well positioned to handle the massive settlements to come.

The real question is whether it and Walgreens will own up to their misconduct and get serious about complying with their obligations to prevent opioid abuse.

Another Crooked Bank

When one large corporation is found to be breaking the law in a particular way, there is a good chance that its competitors are doing the same thing. The latest evidence of this comes in an announcement by the Consumer Financial Protection Bureau concerning U.S. Bank.

The CFPB fined the bank $37.5 million for illegally accessing credit reports and opening checking and savings accounts, credit cards, and lines of credit without customers’ permission. U.S. Bank employees were said to have done this in response to management pressure to sell more financial products and thus generate more fee revenue.

If this sounds familiar, it is exactly what came to light in 2016 regarding Wells Fargo, which was initially fined $100 million by the CFPB for the fraudulent practice and subsequently faced a wave of other legal entanglements, including a case brought by the U.S. Justice Department in which Wells had to pay $3 billion to resolve civil and criminal charges.

The U.S. Bank case has not yet generated the tsunami of outrage that accompanied the revelations about the phony accounts at Wells. Perhaps that is because it is the middle of the summer. Yet chances are that the CFPB’s enforcement action will not be the only punishment the bank will face.

U.S. Bank’s practices were no less egregious than those of Wells. According to the CFPB, the management of the bank, which currently has more than half a trillion dollars in assets, was aware for more than a decade that its employees were creating fictitious accounts.

And like Wells, U.S. Bancorp has a long history of questionable behavior. Violation Tracker documents more than $1.2 billion in penalties from 40 cases dating back to 2000. Half of the total comes from offenses involving serious deficiencies in anti-money-laundering practices, including a 2018 case in which the bank had to pay $453 million to settle criminal charges brought by the U.S. Justice Department plus another $75 million to the Office of the Comptroller of the Currency to resolve civil allegations.

In 2014 U.S. Bank had to pay $200 million to settle allegations that it violated the False Claims Act by knowingly originating and underwriting mortgage loans insured by the Federal Housing Administration that did not meet applicable requirements. The bank also had a previous run-in with the CFPB, which penalized it $53 million in 2014 for unfairly charging customers for credit identity protection and credit monitoring services they did not receive.

It is likely that U.S. Bank’s penalty total will rise substantially through additional cases prompted by the CFPB’s latest allegations, which include accusations the bank violated not only the Consumer Financial Protection Act but also the Fair Credit Reporting Act, the Truth in Lending Act, and the Truth in Savings Act.

Apart from monetary penalties, U.S. Bank may face an additional form of punishment applied to Wells: in 2018 the Federal Reserve restricted the growth of the firm until it cleaned up its practices and improved its governance. Since fines have proven to be a weak deterrent against corrupt practices at major financial institutions, more aggressive measures provide the only hope of bringing the big banks under control.