Dechert Cyber Bits - Issue 65

Articles in this Issue:

• Four Companies Settle SEC Allegations for “Misleading Cyber Disclosures” Regarding SolarWinds
• European Commission Adopts Implementing Regulation on Cybersecurity Risk Management and Reporting
• New EU Law on Security Requirements for Products with Digital Elements
• The CFPB Finalizes its Personal Financial Data Rights Rules
• New York’s Financial Regulator Releases AI Cybersecurity Guidance
• Dechert Tidbits

Four Companies Settle SEC Allegations for “Misleading Cyber Disclosures” Regarding SolarWinds

On October 22, 2024, the Securities and Exchange Commission (“SEC”) announced settlements with four companies for alleged violations of the Securities Act of 1933 and the Securities Exchange Act of 1934 in connection with their cyber disclosures. The SEC alleged that Unisys Corp. (“Unisys”), Avaya Holdings Corp. (“Avaya”), Check Point Software Technologies Ltd. (“Check Point”), and Mimecast Ltd. (“Mimecast”) downplayed cybersecurity risks to investors after falling victim to the 2020 nation-state cyberattacks on the SolarWinds Corp.’s Orion software platform (“SolarWinds Attacks”). None of the companies admitted to wrongdoing in connection with the settlement.

The SEC alleged that the companies— all of which are in the software or IT business and were customers of SolarWinds who used the Orion software—made public disclosures regarding the SolarWinds Attacks that “negligently minimized” their actual knowledge of the SolarWinds Attacks. The fines totaled $7 million across all companies. Specifically:

• Avaya. The SEC alleged that Avaya knew that the threat actor accessed 145 files but stated in public disclosures that only limited email messages had been accessed.
• Check Point. The SEC alleged that Check Point described the impact of the SolarWinds Attacks in generic terms in its disclosures despite knowing that the threat actor was in its systems for several months and its cybersecurity risk profile had changed materially.
• Mimecast. The SEC alleged that Mimecast omitted material information from its disclosures regarding the large volume of code and the high number of credentials accessed by the threat actor.
• Unisys. The SEC alleged that Unisys described cybersecurity events as hypothetical in its public statements despite knowing that two intrusions related to the SolarWinds Attacks resulted in exfiltrated data. The SEC also alleged that Unisys failed to maintain sufficient controls and procedures to ensure that material cybersecurity incidents were timely reported to management and investors.

The SEC characterized these enforcement actions as a reminder that, “while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents.” Commissioners Peirce and Uyeda issued scathing dissents, however, calling the Commission a “Monday morning quarterback” that “needs to start treating companies subject to cyberattacks as victims of crime, rather than perpetrators of one."

Takeaway: Amen to the statements made by the dissenting Commissioners. Too often the SEC comes in after the fact, when all is known – and without a broad basis of knowledge of cyberattack response – to assert a “misleading” label. From the company’s standpoint, it feels like second guessing, as often the statements are made when far less was known or that make sense in the larger context of their programs. Unfortunately, this approach too often serves to revictimize the victim companies, as noted by the dissenters. Nonetheless, the accuracy of public statements made by issuers following a cyber event remains a top SEC enforcement priority. Of course, companies should take care to avoid statements that are inconsistent with actual knowledge. We’d go a step further and advise that companies document what facts served as the basis for any statement or any characterizations made, in case asked to recreate that basis at a later time. We also note that these settlements are announced in the aftermath of the SEC’s lack of success in its own lawsuit against SolarWinds (covered here) in which the Southern District of New York threw out many of the SEC’s claims regarding SolarWinds’ post-cyberattack statements.

European Commission Adopts Implementing Regulation on Cybersecurity Risk Management and Reporting

October 17, 2024 marked the deadline for EU Member States to put in place national legislation implementing EU Directive 2022/2555 on measures for a high common level of cybersecurity across the EU (“NIS 2”). NIS 2 aims to expand and harmonize cybersecurity laws across the EU. On the same date the European Commission adopted an Implementing Regulation specifying requirements for certain entities within scope of NIS 2. The Implementing Regulation applies to, among other entities, cloud computing service providers, data center service providers, managed service providers, providers of online marketplaces and social networking services platforms.

The Implementing Regulation elaborates on the general obligations relating to cybersecurity risk management under NIS 2, providing additional granularity for relevant entities on issues such as information security policies, business continuity, supply chain security and encryption. The Implementing Regulation also establishes rules for assessing whether a cybersecurity incident is a “significant incident” for the purposes of NIS 2 and therefore subject to NIS 2 incident reporting obligations. The Implementing Regulation lists threshold criteria which, if satisfied, require relevant entities to report the incident. Some of the criteria vary depending on the nature of the relevant entity. For example, an incident impacting a social network will require notification if the social network service is unavailable or limited for more than 5% of users in the EU.

Takeaway: NIS 2 is a key pillar of EU legislators’ cybersecurity strategy, and its broader scope brings a greater number of businesses within scope of the EU cybersecurity regime. NIS 2 sits alongside other legislation relevant to cybersecurity, such as data protection legislation and, for financial entities, the Digital Operational Resilience Act. The new Implementing Regulation provides greater clarity for organizations assessing whether an incident is reportable and in-scope entities will want to review their incident response plans to account for the specific reporting thresholds prescribed in the Implementing Regulation.

New EU Law on Security Requirements for Products with Digital Elements

On October 10, 2024, the Council of the European Union adopted a new regulation governing cybersecurity requirements for products with digital elements (“PDEs”), the Cyber Resilience Act (the “Act”). The Act applies to all products that are connected either directly or indirectly to another device or to a network, such as connected refrigerators, cameras, and TVs, with exceptions for products subject to existing specific cybersecurity requirements, such as medical devices. The Act sits within a patchwork of other cybersecurity laws, such as the NIS 2 Directive, and aims to fill the gaps for connected devices.

The Act’s primary categories of obligations fall on manufacturers of PDEs and relate to: (1) the creation of “essential cybersecurity requirements” for the design, development, and production of PDEs; (2) conformity assessments for PDEs; and (3) notification of exploited vulnerabilities to competent authorities and public disclosure of information about fixed vulnerabilities. Fines of up to the higher of EUR€15 million or 2.5% of annual turnover can be imposed for breach of the Act. The next stage for the Act is for it to be published in the Official Journal of the European Union, following which it will enter into force on the 20th day after its publication. It will then apply three years after its entry into force with some provisions to apply at an earlier stage.

In the UK, the Product Security and Telecommunications Infrastructure Act came into effect in April 2024 and has a similar aim to the Act although with a narrower scope and different obligations.

Takeaway: While both laws are intended to address cybersecurity risks of digital and connected products, the divergence in obligations means that companies involved in the supply chain of PDEs in the EU and the UK will want to review the requirements of the two laws to ensure that their compliance programs take account of the two regimes. Although most provisions in the Act will not apply until late 2027 or later, companies already working on their UK compliance will want to start considering the EU requirements now in an effort to avoid having to make changes down the line.

The CFPB Finalizes its Personal Financial Data Rights Rules

On October 22, 2024, the Consumer Financial Protection Bureau (“CFPB”) announced that it finalized its Personal Financial Data Rights rule (“Final Rule” or “Rule”). According to the CFPB the Rule is intended to “give consumers greater rights, privacy, and security over their personal financial data.” The Final Rule was issued to implement Section 1033 of the Consumer Financial Protection Act and comes almost a year after the CFPB announced its Notice of Proposed Rulemaking (“NPRM”).

The Final Rule requires that data providers make covered data available in a standardized electronic format, upon request and free of charge, to consumers and certain third parties. As defined by the Final Rule, a “data provider” is a depository or non-depository institution, such as a bank or financial service provider—not including banking and credit union institutions having less than $850 million in assets. “Covered data” includes, among other things, information about: (i) transactions, including those from at least the prior 24 months; (ii) payment information and costs; and (iii) account balances. To comply with the Final Rule, data providers are required to create and maintain interfaces with consumers and third parties through which the data provider can receive and fulfill requests for covered data.

The Final Rule also implements privacy protections as they relate to consumer data shared with third parties. Under the Rule, “third parties” include “any person that is not the consumer about whom the covered data pertains or the data provider that controls or possesses the consumer’s covered data.” Third parties will only be able to collect and use a consumer’s financial data for “what is reasonably necessary” to deliver on the consumers’ request. In fact, the Final Rule explicitly states that targeted advertising, cross-selling other products or services, or selling covered data are not “reasonably necessary to provide” a consumers’ request. In addition, the Final Rule allows consumers to revoke a third party’s authorization to access the consumer’s data, and a third party can only collect a consumer’s data for one year after receiving authorization.

Compliance with the Final Rule will be staggered. Certain institutions will have to be compliant by April 1, 2026, while others will have compliance dates between and until April 1, 2030, depending upon the institution’s assets and total receipts.

Takeaway: The CFPB is shaping up to be a key regulator in the privacy and cybersecurity space. In hearings before the Senate Banking Committee earlier this year, Director Chopra advocated for measures that would increase legal protections for consumers’ personal financial data, which we discussed here. As proposed, the Final Rule will require a number of new and burdensome compliance requirements over a period of years, although it is worth noting that the Rule was immediately challenged under the Administrative Procedure Act in the Sixth Circuit by trade groups and a bank in Kentucky. As such, the Rule’s fate remains uncertain. Nevertheless, prudent companies will consider assessing and implementing a how they will comply with the Final Rule’s novel requirements. Yet another regulator focused on these issues may lead to increased enforcement with respect to data sharing and data brokers, though with a new administration, that risk likely is diminished.

New York’s Financial Regulator Releases AI Cybersecurity Guidance

On October 16, 2024, the New York Department of Financial Services (“NYDFS”) issued an industry letter entitled, “Cybersecurity Risks Arising from Artificial Intelligence and Strategies to Combat Related Risks” (“Guidance”). The Guidance is not binding on NYDFS regulated entities (“Covered Entities”), but is intended to assist these entities in addressing cybersecurity risks posed by AI through the framework that exists within the NYDFS’s cybersecurity regulation, 23 NYCRR Part 500 (“Cybersecurity Regulation”).

The Guidance focuses on four types of cybersecurity risks: (i) “AI-enabled social engineering;” (ii) “AI-enhanced cybersecurity attacks;” (iii) the exposure or theft of substantial quantities of nonpublic information; and (iv) vulnerabilities arising from the dependencies of third parties, vendors, and supply chains. To address these risks, the Guidance recommends, among other things, that Covered Entities: (i) implement and maintain risk assessments and risk-based programs and plans; (ii) implement and maintain policies and procedures that sufficiently manage third parties and vendors; (iii) implement controls, such as multi-factor authentication; (iv) train all personnel regarding the risks associated with AI and how to respond to AI-enhanced cyber-attacks; (v) monitor and maintain systems that can quickly identify cybersecurity threats; and (vi) implement effective data management, such as by enacting data minimization practices as required under the Cybersecurity Regulation, keeping data inventories up to date, and tracking all information systems that use AI-enabled products. While acknowledging these cybersecurity concerns, the Guidance encourages Covered Entities to explore the benefits that AI can offer.

Takeaway: Companies subject to NYDFS supervision (over 3,000 financial institutions) should prepare for heightened scrutiny in the AI arena. Covered Entities should consider taking steps as soon as possible to review and reevaluate their cybersecurity programs and controls to identify, and implement mitigation strategies for, AI-related risks. Such steps could include, among others, conducting AI risk assessments, as well as revising policies and procedures, employee trainings and contractual provisions in contracts with service providers that address threats posed by AI and cybersecurity. As AI, with its risks, benefits, and compliance requirements, continues to evolve, companies will need to embrace a flexible and adaptive approach.

Dechert Tidbits

Kochava Settles Location Privacy Lawsuit

According to a joint status report filed on October 15, 2024, in the U.S. District Court for the District of Massachusetts, Kochava, Inc. (“Kochava”)—a data broker of consumers’ precise geolocation data associated with a mobile or persistent identifier—has settled three class action complaints that arose in the wake of a lawsuit filed by the Federal Trade Commission (“FTC”) against Kochava in August 2022 for alleged violations of Section 5 of the FTC Act. The settlements will resolve a mix of allegations arising out of lawsuits in Idaho, California, and Massachusetts, including claims of: (i) unjust enrichment allegedly due to Kochava’s sales of consumers’ geolocation data without consent or compensation; and (ii) other alleged state law violations. However, the settlement details remain unknown at this time. These settlements arrive in the wake of Kochava’s loss earlier this year in its case with the FTC when its motion to dismiss related allegations arising under Section 5 of the FTC Act was denied in the District Court of Idaho, as covered here.

UK Data (Use and Access) Bill Proposed

The UK Government introduced the Data (Use and Access) Bill - proposed legislation designed to facilitate the use of data for the delivery of public services, as well as in certain private sector fields. The Bill seeks to streamline use of data in a number of areas, including in healthcare, policing and ID verification. Amongst the reforms are tweaks to data protection legislation, including restructuring the UK’s data protection regulator and changes to consent requirements for scientific research. Even if the Bill proceeds, UK data protection law will remain largely aligned with the EU GDPR.

United States Department of Justice Proposes Rule to Limit Access to Americans’ Personal Data

On October 21, 2024, the U.S. Justice Department published a proposed rule to implement President Biden’s Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and the United States Government-Related Data by Countries of Concern). The proposed rule seeks to implement the Executive Order by “establishing categorical rules for certain data transactions that pose an unacceptable risk of giving countries of concern”—including Russia, Iran, and China— “or covered persons access to government-related data or bulk U.S. sensitive personal data.” The Justice Department requested public comment on the proposed rule within 30 days.