U.S. Court Axes Most of SEC's SolarWinds Data Breach Suit

The U.S. District Court for the Southern District of New York recently dismissed much of the U.S. Securities and Exchange Commission’s (“SEC”) suit against SolarWinds Corp., which was partially based on allegedly misleading comments SolarWinds made after a series of 2020 cyberattacks that exploited SolarWinds’ Orion software platform to infiltrate U.S. government networks.

The SEC had alleged that SolarWinds: (i) prior to the cyberattacks, misleadingly touted its cybersecurity practices and products and understated its cybersecurity risks; and (ii) misled the investing public about the series of cyberattacks it experienced in 2020. The Court’s opinion dismissed all claims related to SolarWind’s post-cyberattack statements, holding that: (i) the SEC’s claims relied on hindsight and speculation; and (ii) the statements at issue appeared factually accurate and not misleading to investors. That said, the Court did allow the SEC to continue to pursue certain securities fraud charges based on allegedly misleading statements made by SolarWinds prior to the attack, such as detailed statements regarding cyber strategy, access controls, and password protection practices found on SolarWinds’ website.

Takeaway: This was a major blow to the SEC, and a welcome development for those who believe the SEC’s “blame the victim” mentality and after the fact second-guessing of responses is unfair and unproductive, especially when companies are faced with a sophisticated nation state threat actor. Unfortunately for the head of Solar Winds’ information security group, the Court did not dismiss the claims against him entirely. This likely will have a chilling effect on qualified candidates seeking these roles, exacerbating an already difficult recruiting pool for public companies. Despite this setback, we don’t expect the SEC to dial back its aggressive approach to cybersecurity regulatory actions. This is unfortunate, as one of the best ways to beat these attacks in the future is for industry to cooperate with government. The most important thing is for public companies to be sure that their disclosures are consistent with the reality of their information security program.

FTC Proposed Settlement Bans NGL Labs and Founders from Marketing Anonymous Messaging Apps and Mandates $5 Million in Fines

On July 9, 2024, the U.S. Federal Trade Commission (“FTC”) announced a proposed order with NGL Labs, LLC (“NGL”) and its co-founders (collectively, “the Defendants”) to resolve allegations that their anonymous messaging app (“NGL App”) and in-app subscription service (“NGL Pro”) had violated Section 5 of the FTC Act, the Restore Online Shoppers’ Confidence Act (“ROSCA”), the Children’s Online Privacy Protection Act (“COPPA”), and the California Business and Professions Code. The FTC, alongside the Los Angeles County District Attorney (“People of California”), filed the complaint (“Complaint”) on July 9, 2024 in the Central District of California. The Complaint alleged, among other things, that the Defendants: (i) deceived consumers with fake messages and tactics for the purpose of increasing product usage; (ii) targeted kids and teens with their services but did not comply with COPPA; (iii) failed to disclose material terms and obtain consumer consent prior to making reoccurring charges; and (iv) mispresented that its artificial intelligence (“AI”) would filter out harmful messaging and prevent cyberbullying. As part of the settlement, NGL did not admit or deny any wrongdoing.

Under the stipulated proposed order (“Proposed Order”), the Defendants would be required to pay $4.5 million to the FTC and $500,000 to the People of California. Among other things, the Defendants would also: (i) be banned from marketing the NGL App to anyone under 18 and be required to implement an age gate that prevents user access if the user is under 18; (ii) be prohibited from making misrepresentations regarding the sender of messages on apps or regarding the capabilities of their AI; and (iii) be prohibited from making misrepresentations about and be required to obtain express consent regarding negative option subscriptions. FTC Commissioners Melissa Holyoak and Andrew Ferguson released separate concurring statements. Commissioner Ferguson’s concurring statement (“Concurring Statement”), in which he was joined by Commissioner Holyoak, limits the breadth of the Proposed Order by stating that “Section 5 [does not] categorically prohibit[] marketing any anonymous messaging app to teenagers” as “anonymity is an important constitutional value.”

Takeaway: It’s no secret that regulators have become increasingly focused on protecting the privacy and security of minors, even when doing so may limit free speech, and the FTC’s Proposed Order is evidence not only of this proposition, but also of the FTC’s increasing willingness to work with state and local governments to further this goal. Interestingly, the settlement contains the requirement that a company implement a neutral age gate and restrict users for which it has actual knowledge are under eighteen, even though COPPA’s protections apply only to users under age 13. So, it seems yet another case of the FTC regulating through an enforcement action that goes beyond what the law currently requires. Companies will want to continuously review the statements they make about their AI capabilities to be sure that all such claims are truthful.

EU Digital Operational Resilience Act – New Standards Published with Six Months Left to Comply

July 17, 2024, marked six months until the EU’s Digital Operational Resilience Act (“DORA”) is scheduled to go into effect. It also was the deadline for regulators to issue standards with which financial entities will be required to comply.

DORA—which goes into effect on January 17, 2025—is intended to harmonize and enhance IT requirements for EU financial entities (including investment firms, banks and insurance companies). In-scope financial entities will be required to: (a) ensure their risk management frameworks conform to detailed requirements; (b) comply with incident reporting obligations; (c) implement protocols for resilience testing (such as penetration tests and testing business continuity policies); and (d) manage third-party IT risk, including by ensuring that contracts with IT service providers include specific terms.

The newly-published regulatory technical standards (“RTS”), which add details to particular compliance requirements, cover (amongst other things) threat-led penetration testing and the content of IT incident reports. This second batch of RTS follow an earlier set that covered classification of IT incidents, detailed requirements for risk management frameworks, and templates for financial entities’ register of third-party service providers. Further RTS on subcontracting IT functions are yet to be published.

Takeaway: DORA is a prescriptive piece of legislation that will take time to implement fully. Even financial entities with robust risk management frameworks will be required to adapt to DORA’s specific requirements, if they have not done so already. With only six months left to comply, many financial entities will want to accelerate their DORA compliance programs to ensure they have the policies, protocols, and contractual provisions in place to comply from January 17, 2025. For more detail, see Dechert’s overview of DORA for asset managers.

FAQs on EU-U.S. Data Privacy Framework

The European Data Protection Board (“EDPB”) has issued FAQs on the EU-U.S. Data Privacy Framework (the “DPF”) for businesses in the EEA. U.S. companies that self-certify to the DPF are considered capable of providing a legally “adequate” level of protection for personal data, which allows personal data to be transferred to them from the EEA in compliance with GDPR restrictions.

The FAQs explain that only U.S. companies subject to investigatory and enforcement powers of the U.S. Federal Trade Commission or of the U.S. Department of Transportation can self-certify under the DPF. This means that banks and insurance companies, for example, cannot currently benefit from the DPF. However, the FAQs suggest that the DPF may be made available to companies under the remit of other U.S. regulators at some point in the future.

The FAQs emphasize that data exporters should make sure they understand the scope of the data importer’s DPF certification to ensure it covers the data transfers in question (for example, that the certification covers the relevant categories of data and any relevant subsidiaries). The FAQs also highlight that the DPF only addresses one aspect of GDPR compliance, namely the specific restrictions on international transfers of data. When sending personal data to DPF-certified recipients, data exporters must also consider their other obligations under the GDPR.

Takeaway: Although the DPF is a useful (and, for data exporters, relatively hassle-free) option in many cases, the FAQs identify some of the limitations of the DPF and highlight the care that data exporters will want to take when exporting to DPF-certified data importers. Data exporters should be mindful that DPF-certifications do not always cover all categories of personal data or all group entities and that the DPF does not address all aspects of GDPR-compliance relevant to data sharing.

Dechert Tidbits