IT IS ORDERED that respondent... establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information.
Computer security 101 says that there should be one set of checks for the information (parsimony of mechanism), all access go through that mechanism (complete intermediation), and as few people/things have access to the data as possible (least privilege).
Making sure all private data goes in the vault and the vault is secure shouldn't take more than 1% of an organization the size of Twitter. Even if they're doing it poorly, it shouldn't be more than 10%.
If it really is 5x (> 80% of their engineering budget), I guarantee you they are in violation of the consent decree -- there is no way to vet that many engineers or audit their work!
5x may be hyperbole, but every change you make has to go through a privacy review. Sometimes even proposing to make a change can be met with great friction.
Any security architecture that requires every single engineer has to do everything exactly right 100% of the time is bound to fail. The order to put in reasonable privacy protections doesn't say "and do it in the most expensive, error prone fashion possible".
It’s actually pretty standard operating mode for many big tech adjacent, regulated industries. They don’t necessarily expect you to be 100% perfect, but they do expect you to build in such a way that their privacy tools can inspect things and you get urgent tasks filed if something doesn’t meet spec.
What they want is additional work, and technical implementation that the agreements are being enforced in code. It’s a fascinating area for a career, but the tools are not well developed and engineers not trained to code this way. Ends up being like a 40% tax on a lot of peoples work, plus the people who write and operate the verification systems.
It’s probably what the security field should have done years ago, but there were never as expensive of fines as for privacy violations.
