Publications
Federal Securities Liability for Cyberattacks – Recent Decision Offers Important Guidance
On July 18, 2024, Judge Paul A. Engelmayer of the United States District Court for the Southern District of New York issued a 107 page Opinion and Order that provides useful guidance to companies attempting to assess their exposure to claims for liability under the federal securities laws. While this decision limits the scope of such exposure, clients should be mindful that data breaches can create liability under other statutes and prompt consultation with counsel can go a long way to limit a company’s potential legal exposure to consumers, investors and others.
Beginning in 2019 and continuing through 2020, SolarWinds fell victim to a cyberattack. The attackers successfully leveraged stolen login credentials and exploited VPN vulnerabilities to access SolarWinds’ network and exfiltrate data, including customer data. The attackers also inserted malicious code into SolarWinds’ “crown jewel” software, Orion, which was used by approximately 18,000 customers. These customers included “federal and state agencies, and more than 1,500 publicly traded U.S. companies, banks, broker-dealers, accounting firms, and other SEC-regulated entities.”
Following the attack, the SEC charged SolarWinds and its then-VP of Security, Timothy Brown, with both familiar and novel claims arising out of SolarWinds’ pre- and post-attack statements. In the first set of claims, the SEC charged SolarWinds with material misrepresentations and omissions under Sections 10(b) and 13(a) of the Securities Exchange Act of 1934 and Section 17(a) of the Securities Act of 1933 . These claims were based on statements made in a public-facing “Security Statement” that SolarWinds posted on its website and provided to customers, as well as statements that SolarWinds made or omitted in other required SEC filings. The SEC also alleged that SolarWinds misled investors following the 2020 attack by not alerting them to two previous customer breaches that had been reported.
Of this first set, the Court sustained only the allegations against Brown and SolarWinds regarding the Security Statement posted online and provided to customers. Despite the security deficiencies that Brown had been raising with SolarWinds since he started working for them in 2017, Brown created and approved the Security Statement, and it was posted online in late 2017. Included in the Security Statement were various claims about SolarWinds’ strong cybersecurity, including that SolarWinds had strong password protections and maintained good access controls. The Court determined that these two claims (of the five cybersecurity practices highlighted by the SEC) were material misrepresentations. In so holding, the Court dispensed with two claims from SolarWinds---first, that the Security Statement was directed at customers, rather than investors; and second, that each claim had to be considered in isolation. The Court stated, “It is well established that false statements on public websites can sustain securities fraud liability.” Moreover, “the well-pled misrepresentations in the Statement must be viewed together as collectively bearing on the Statement’s central thesis: that the cybersecurity practices of SolarWinds…were strong.” The Court also made clear that it took a particularly critical eye of SolarWinds statements, in light of “the nature of the company’s products and customer base.”
In the second set of claims, the SEC charged SolarWinds with failing to implement effective internal controls and procedures under Section 13(b)(2)(B) of the Securities Exchange Act. This was the first time that the SEC brought an accounting control claim based on deficient cybersecurity controls. However, the Court dismissed the claims. The Court agreed with SolarWinds that the “system of internal accounting controls” required by the Securities Exchange Act clearly referred to financial accounting controls, and could not “reasonably” be extended to cybersecurity controls.
Despite the dismissal of some claims, this case is an important reminder to be cautious and factual when drafting and posting corporate statements online, and when making mandatory filings with the SEC.
While the decision identifies the limits of liability under the federal securities laws, SolarWinds’ deficient cybersecurity practices and limited data privacy protection could potentially provide a basis for additional federal liability under Section 5 of the FTC Act, and also serve the basis for consumer claims under state data privacy laws. To limit exposure, protect customer data and address potential reputational harm, companies should be sure to contact not only applicable insurance carriers, but also counsel following a cyberattack or data breach. Tannenbaum Helpern can help by conducting a data inventory, identifying relevant laws, advising on cybersecurity practices, reviewing and revising corporate policies regarding cybersecurity and data privacy, and defend against federal or state investigative or regulatory enforcement proceedings, should they arise.
For more information on the topic discussed, contact:
07.22.2024 | PUBLICATION: Securities & Enforcement Alert | TOPICS: Cybersecurity and Data Privacy, Securities