Abstract
Abstract For years now, we have been advising clients to be cautious about including overly broad, or overly detailed, statements in their online privacy policies, noting that the FTC has in the past interpreted such statements as being representations to the market - such that false or misleading statements made therein could constitute misrepresentations. The Securities Exchange Commission complaint last year filed against SolarWinds Corp. and Timothy G. Brown (between July 2017 and December 2020, the Vice President of Security and Architecture and head of the Information Security group, and as of January 2021, the Chief Information Security Officer, for SolarWinds Corp.) has now made it clear that the same risk applies to public statements regarding the state of security of an organization. The SEC complaint raises additional related issues, however: namely, to what extent are organizations required to detail instances of non-compliance with their security policies in their public security disclosures; and to what extent should software companies be held to a higher standard of cybersecurity disclosure. This article proves the background to the SEC complaint (I.); provides a overview of the SEC complaint’s critique of the online security statement published by SolarWinds, and the security disclosures in the securities filings of SolarWinds (II.); outlines the challenges posed by the SEC approach in the SEC complaint and the resulting blowback, in particular from chief information security officers (III.); highlights three key lessons learned from the SEC complaint (IV.); and concludes (V.) with a warning as to what this means for organizations publishing online security statements.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
