CYBER CORNER

In a highly publicized decision, a federal district court dismissed, in large part, an aggressive enforcement action filed by the SEC against a leading software technology company (the “Company”) and its Chief Information Security Officer (CISO). The Company was the victim of a Russian-backed cyberattack. The impact of the cyberattack was widespread amongst the IT departments of the Company’s vast customer base and allowed the bad actors to infiltrate at least nine federal agencies.

The SEC alleged various theories of securities law and internal accounting control violations including “fraud and internal control failures to allegedly known cybersecurity risks and vulnerabilities.” Specifically, the SEC alleged the Company and its CISO misled investors in the time-period prior to the attack and that the Company’s Pre-IPO Security Statement contained materially false and misleading representations regarding access controls and password protection policies.

The court dismissed the SEC’s civil fraud allegations that the Company failed to adequately disclose the attack and made false or misleading statements in press releases, blog posts and podcasts “touting” the Company’s cybersecurity practices. The court will allow a portion of the case to move forward with respect to the adequacy of certain pre-incident disclosures in the Company’s Security Statement.

The subject decision was a “win” for corporations who are subjected to the vast and expanding cyber-related scrutiny and disclosure requirements. It may also result in the SEC ramping down their aggressive stance in prosecuting alleged disclosure violations.

Social media behemoth Meta Platforms has settled a lawsuit with the state of Texas arising out of the company’s use of facial recognition to collect biometric data on Facebook users. The Texas Attorney General has called it, “the largest settlement ever obtained from an action brought by a single state,” and said the settlement demonstrated the state’s commitment to holding technology companies accountable. The settlement is the first ever obtained by the state under the Texas Capture or Use of Biometric Identifier (CUBI) Act.

The Texas Attorney General sued Meta in 2022, contending that its Facebook subsidiary failed to ask users for their consent before collecting their facial recognition data, improperly disclosed the data to third parties, and retained the data beyond the timeframe set forth in the CUBI Act. By that time, however, Facebook had discontinued collecting this data on users following the settlement of a similar action brought under Illinois law. Meta has continued to deny any wrongdoing, insisting that its use of facial recognition technology complied with the CUBI Act. The company maintained that it had always been transparent with users about how their biometric data would be collected and handled.

The Takeaway:

While this is clearly a landmark settlement for the parties involved, Alliant is not expecting this to be a market-moving event. There are several reasons for this. First and foremost, many insurers have inserted language limiting coverage for biometric information privacy claims, and in any event, the insurability of punitive damages in such actions varies from state to state. Additionally, companies have become more cautious in their deployment of this technology due to the aggressive enforcement actions brought by authorities in jurisdictions such as Illinois and Texas.