A basic privacy law tenet for companies is to only use personal information as they say they will. According to the DOJ and FTC, Twitter did not do this, leading to its recent $150-million settlement resolving allegations that it misused users’ phone numbers uploaded for security purposes to target advertising. With insights from former FTC chief of staff and former Twitter counsel, we analyze the case and the settlement terms, discuss their broader implications and offer lessons for companies in improving their own information security and privacy compliance programs and disclosure practices. See “Disputed Twitter Fine Offers Breach Response Lessons” (Jan. 20, 2021).