Dechert Cyber ​​​​Bits – Issue 59 | Dechert LLP

US court dismisses most of SEC’s SolarWinds data breach lawsuit

The United States District Court for the Southern District of New York recently dismissed a significant portion of the U.S. Securities and Exchange Commission’s (“SEC”) lawsuit against SolarWinds Corp., which was based in part on SolarWinds’ allegedly misleading comments After a series of cyberattacks in 2020 that used SolarWinds’ Orion software platform to infiltrate U.S. government networks.

The SEC alleged that SolarWinds (i) misrepresented its cybersecurity practices and products prior to the cyberattacks and understated the level of cybersecurity risk; and (ii) misled investors about a series of cyberattacks it experienced in 2020. The court dismissed all claims related to SolarWind fasting-statements regarding cyberattacks, ruling that: (i) the SEC’s claims were based on hindsight and speculation; and (ii) the challenged statements appeared to be factually accurate and did not mislead investors. That said, the Court he did allow the SEC to continue to pursue certain securities fraud cases based on SolarWinds’ allegedly misleading statements earlier about the attack, such as detailed statements about cyber strategy, access controls, and password protection practices posted on the SolarWinds website.

To go: This was a major blow to the SEC and a welcome development for those who believe the SEC’s “blame the victim” mentality and then challenge the response is unfair and counterproductive, especially when companies are faced with a sophisticated nation-state threat actor. Unfortunately for the head of Solar Winds’ information security group, the Court did not completely dismiss the claims against him. This will likely have a chilling effect on qualified candidates applying for these roles, worsening an already difficult recruiting pool for public companies. Despite this setback, we do not expect the SEC to relax its aggressive approach to cybersecurity regulatory actions. This is unfortunate because one of the best ways to defeat these attacks in the future is for industry to work with the government. It is crucial that public companies ensure that their disclosures are consistent with the reality of their information security program.

Proposed FTC settlement bans NGL Labs and founders from marketing anonymous messaging apps and imposes $5 million in fines

On July 9, 2024, the U.S. Federal Trade Commission (“FTC”) announced a proposed order with NGL Labs, LLC (“NGL”) and its co-founders (collectively, the “Defendants”) to resolve allegations that their anonymous messaging application (the “NGL App”) and in-app subscription service (“NGL Pro”) violated Section 5 of the FTC Act, the Restoring Online Shopper Confidence Act (“ROSCA”), the Children’s Online Privacy Protection Act (“COPPA”), and the California Business and Professions Code. The FTC, joined by the District Attorney for Los Angeles County (the “People of California”), filed a complaint (the “Complaint”) on July 9, 2024, in the Central District of California. The Complaint alleged, among other things, that Defendants: (i) deceived consumers with false messages and tactics to increase product usage; (ii) targeted their services to children and teens but failed to comply with COPPA; (iii) failed to disclose material terms and obtain consumer consent before charging recurring fees; and (iv) misrepresented that their artificial intelligence (“AI”) would filter harmful messages and prevent cyberbullying. As part of the settlement, NGL did not admit or deny any wrongdoing.

Under the proposed order (the “Proposed Order”), Defendants would be required to pay $4.5 million to the FTC and $500,000 to California residents. Defendants would also be required to, among other things: (i) be prohibited from marketing the NGL Apps to individuals under the age of 18 and implement an age gate that prevents access by users under the age of 18; (ii) be prohibited from misleading users about the sender of messages in the Apps or about the AI ​​capabilities of the Apps; and (iii) be prohibited from misleading users about negative option subscriptions and be required to obtain express consent for those subscriptions. FTC Commissioners Melissa Holyoak and Andrew Ferguson issued separate concurring statements. Commissioner Ferguson’s accompanying statement (the “Accompanying Statement”), joined by Commissioner Holyoak, limits the scope of the proposed order by stating that “Section 5 (does) not categorically prohibit() the marketing of any anonymous messaging application to teenagers” because “anonymity is an important constitutional value.”

To go: It’s no secret that regulators are increasingly focused on protecting the privacy and safety of minors, even if it may limit free speech, and the FTC’s proposed regulation is evidence not only of that but also of the FTC’s growing willingness to work with state and local governments to advance that goal. Interestingly, the settlement requires the company to implement a neutral age gate and restrict users it has actual knowledge are under 18, even though COPPA’s protections only apply to users under 13. So this appears to be another case of the FTC regulating through enforcement actions beyond what the law currently requires. Companies will want to constantly review the claims they make about their AI capabilities to ensure that all such claims are true.

EU Digital Operational Resilience Act – New standards published, with six months left to adapt

July 17, 2024, was 6 months from the planned entry into force of the EU Digital Operational Resilience Act (“DORA”). It was also the deadline for regulators to issue standards that financial entities will have to comply with.

DORA – which comes into force on 17 January 2025 – aims to harmonise and strengthen IT requirements for EU financial entities (including investment firms, banks and insurance companies). Financial entities in scope will be required to: (a) ensure that their risk management frameworks comply with detailed requirements; (b) comply with incident reporting obligations; (c) implement resilience testing protocols (such as penetration testing and business continuity testing); and (d) manage third-party IT risks, including by ensuring that contracts with IT service providers contain specific terms.

The newly published Regulatory Technical Standards (“RTS”), which add detail to specific compliance requirements, cover (among other things) threat-based penetration testing and the content of IT incident reports. This second batch of RTS follows on from an earlier set that covered IT incident classification, detailed requirements for a risk management framework and templates for the register of financial entities of third-party service providers. Further RTS on outsourcing of IT functions have yet to be published.

To go: DORA is a regulatory piece of legislation that will take time to fully implement. Even financial entities with robust risk management frameworks will need to comply with DORA’s specific requirements if they haven’t already. With only six months to comply, many financial entities will want to accelerate their DORA compliance programs to ensure they have the policies, protocols and contractual provisions in place to comply by January 17, 2025. For more details, see Dechert’s overview of DORA for asset managers.

EU-U.S. Data Privacy Framework FAQs

The European Data Protection Board (“EDPB”) has issued FAQs on the EU-US Data Protection Framework (“DPF”) for EEA businesses. US businesses that self-certify under the DPF are deemed to be able to provide a legally “adequate” level of protection for personal data, allowing personal data to be transferred from the EEA to them in accordance with the restrictions of the GDPR.

The FAQ explains that only U.S. companies subject to the investigative and enforcement powers of the U.S. Federal Trade Commission or the U.S. Department of Transportation can self-certify under DPF. This means that banks and insurance companies, for example, cannot currently use DPF. However, the FAQ suggests that DPF may be made available to companies under the purview of other U.S. regulatory bodies at some point in the future.

The FAQ emphasises that data exporters should ensure that they understand the scope of the data importer’s DPF certification to ensure that it covers the data transfers at issue (for example, that the certification covers the relevant data categories and any relevant subsidiaries). The FAQ also emphasises that the DPF only addresses one aspect of GDPR compliance, namely the specific restrictions on international data transfers. When sending personal data to DPF-certified recipients, data exporters must also consider their other obligations under the GDPR.

To go: While DPF is a useful (and relatively hassle-free for data exporters) option in many cases, the FAQ identifies some of the limitations of DPF and highlights the caution that data exporters will want to exercise when exporting to DPF-certified data importers. Data exporters should note that DPF certifications do not always cover all categories of personal data or all group entities, and that DPF does not address all aspects of GDPR compliance relevant to data sharing.

Dechert’s Curiosities