CURRENT MONTH (July 2023)
SEC Adopts New Rules on Cybersecurity Risks for Public Companies
By Alan S. Wernick, Esq., Aronberg Goldgehn
On July 26, 2023, the Securities and Exchange Commission (“SEC”) adopted final rules requiring registrants (i.e., businesses required to report to the SEC) to, among other things, promptly disclose material cybersecurity events and, annually, disclose material information concerning the registrant’s cybersecurity risk management, strategy, and governance. This article presents a brief, not exhaustive, overview of the SEC’s final rules on cybersecurity risks for public companies.
SEC Chair Gary Gensler, in a July 26, 2023, statement on public company cybersecurity disclosures, noted, “Increasingly, cybersecurity risks and incidents are a fact of modern life. When material incidents occur, they can have a range of consequences—including financial, operational, legal, or reputational.” He further noted “Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors. … Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.” (See SEC; Statement on Public Company Cybersecurity Disclosures.)
For the new Form 8-K Item 1.05 (“Material Cybersecurity Incidents”) registrants must disclose, within four (4) business days of determining an incident was material, any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its (i) nature, scope, and timing; and (ii) impact or reasonably likely impact. A registrant may delay filing as described in the Rules, if the United States Attorney General (“Attorney General”) determines immediate disclosure would pose a substantial risk to national security or public safety. Registrants also must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing. (See SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure; Final Rules.)
- “New Regulation S-K Item 106 will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”
- “Form 6-K will be amended to require foreign private issuers to furnish information on material cybersecurity incidents that they make or are required to make public or otherwise disclose in a foreign jurisdiction to any stock exchange or to security holders. Form 20-F will be amended to require that foreign private issuers make periodic disclosure comparable to that required in new Regulation S-K Item 106.” (See SEC Fact Sheet; Public Company Cybersecurity Disclosures; Final Rules.)
The cybersecurity disclosures now included in the annual Form 10-K and Form 20-F will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication of the Final Rules in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.
The bottom line for companies subject to the new SEC rules on cybersecurity risks for public companies is that they need to be aware of the requirements of the new rules, and their board of directors need to consider increasing their education about and awareness of cybersecurity risks to the business and to have substantive and meaningful discussions with all requisite parties concerning appropriate oversight of these cybersecurity risks. The cost of ignoring these new rules could be substantial.
© 2023 Alan S. Wernick and Aronberg Goldgehn.
TikTok Ban for Government Contractors
The U.S. government has banned from government IT systems and government devices the TikTok app, or any application created or sold by ByteDance, the company that owns TikTok.
The ban applies to government contractors and subcontractors to some degree as well.
The ban was issued because of U.S. government concerns that TikTok may be used by the Chinese government:
- for surveillance;
- to collect and store personal data without user consent; and
- to spread misinformation or propaganda.
The interim Federal Acquisition Regulation banning TikTok and all other ByteDance applications applies to all federal government contracts and subcontracts and prohibits downloading, accessing, or using any ByteDance applications, such as TikTok, on:
- Government IT systems and devices
- Contractor and subcontractor IT systems and devices if used to any extent to perform a government contract
- Employee-owned devices that are used for government work or if used to perform a government contract. 48 CFR 52.204-27
Essentially, the regulations are prohibiting TikTok from being on government contractor/subcontractor IT systems and contractor/subcontractor devices, to include employee-owned devices if used to perform a Government contract. It also seems to mean the app should not be used to access or share government information, to conduct government business, or to communicate with other federal employees or contractors.
IT systems or devices that a government contractor acquires or uses that are “incidental” to government work are not covered by the ban. The legal requirements, however, are not clear on what “incidental” to performance of a contract means. For example, if a contractor and its employees use a device with TikTok to send emails about government work, it is not clear under the regulatory language if this communication is “incidental” to performance.
The ban is effective immediately, so Government contractors and subcontractors should start getting modifications from the government or from their prime contractors with the new interim regulation banning TikTok. The new regulation will also be in all solicitations, contracts, and modifications going forward.
Dismissed by Paramount: Analyzing Salazar v. Paramount Global and the Video Privacy Protection Act
By DaJonna Richardson, J.D. Candidate, Class of 2024, University of Colorado Law School
A Tennessee federal court dismissed a class action suit against Paramount because the plaintiff failed to demonstrate that his subscription to Paramount’s 247Sports online newsletter made him a “subscriber of goods or services of a video tape service provider” under the Video Privacy Protection Act (“VPPA”). Salazar v. Paramount Glob., 3:22-cv-00756 (M.D. Tenn. Jul. 18, 2023). Thus, the plaintiff failed to state a claim.
The Video Privacy Protection Act (“VPPA”) prohibits wrongful disclosure of video tape rental or sales records. 18 U.S.C.A. §§ 2710 et seq. In January 2013, the VPPA was amended to clarify some ambiguous provisions, including by allowing disclosure based on electronic consent with certain restrictions.
In this case, plaintiff Michael Salazar filed a class action against Paramount alleging that he and others similarly situated should not have had their browsing activities tracked via Facebook from Paramount’s 247Sports website. Salazar alleged that Paramount, through its subsidiary the 247Sports website, used embedded videos to knowingly disclose user data to third parties through pixels and similar tracking technologies as they surfed the website.
The 247Sports website is an athletic recruitment tool for college sports and fans following college sports. Users who sign up for the website are called “digital subscribers”; such subscribers provide their personal information, including but not limited to name, date of birth, and email addresses. Users unknowingly shared data on their activities while logged into both the 247Sports website and Facebook, such as the person’s Facebook user ID, the video content name, and the URL, allowing both Facebook and the 247Sports website to log, track, and possibly record the person’s activities.
The background history of the VPPA speaks to Congressional intent: it was enacted by Congress in 1988 after Supreme Court nominee Robert Bork’s video rental history was published in a newspaper during evaluation of his candidacy.
The plaintiff in this case argued Paramount’s Facebook pixel integration into the 247Sports website allowed user’s information to be extracted without consent. Paramount pushed back, arguing that Salazar lacked standing in his complaint because he did not suffer a concrete injury directly traceable back to Paramount and that Salazar was not a consumer within the meaning of the statute.
Ultimately, the court split the baby, granting Paramount’s motion for dismissal under Rule 12(b)(6) (failure to state a claim), but also noting the VPPA created a “right to privacy of one’s video-watching history, the deprivation of which—through wrongful disclosure, or statutory violation alone—constitutes an injury sufficient to confer Article III standing.”
Essentially, the court’s dismissal lies in its application of Austin-Spearman v. AMC Network Entertainment LLC and Carter v. Scripps Networks, LLC to this case. In Austin-Spearman, 98 F.Supp.3d 662 (S.D.N.Y. 2015), the court held the VPPA creates the right that personally identifiable information remains private without consent to disclosure. The act, however, does unfortunately permit disclosures of personally identifiable information such as a user’s IP address or a device’s unique device identifier to be transmitted to third parties without consent.
Here, the court determined Salazar did have an Article III standing claim with respect to the traceable conducted activities committed by Paramount on its website, leading to an injury suffered by the plaintiff. However, the court also determined a subscriber is a “consumer” within the meaning of the statute only when they subscribe to audiovisual materials. In doing so, it referred to Carter v. Scripps Networks, LLC, 2023 WL 3061858, which examined whether plaintiffs who subscribed to the newsletter of a website hosting video content were subscribers of “goods or services of a video tape service provider” under the VPPA. Because the VPPA itself does not define the term “subscriber,” the court in that case searched the dictionary for subscriber and concluded that “[c]onventionally, ‘subscription’ entails an exchange between subscriber and provider whereby the subscriber imparts money and/or personal information in order to receive a future and recurrent benefit, whether that benefit comprises, for instance, periodical magazines, club membership, cable services, or email updates.” It determined, however, and the court in Salazar agreed, that subscribing to a newsletter did not establish one had subscribed to audiovisual materials. Under that interpretation, Salazar was not a subscriber to a video tape service provider; therefore his claim of violation under the VPPA does not hold.
The holding is important for privacy litigators because it will help understand the latest successful defenses taken by VPPA defendants. More importantly, in this rapidly developing area of law, online website operators will need to take precautions with respect to consumers’ and subscribers’ personally identifiably information.
Strangely Salazar probably could have been found to be a digital subscriber had his complaint detailed whether or not he watched any video content on the defendant’s website. This lack of clarity and specificity probably made it difficult for the court to determine if Salazar’s lack of consent to tracking of his activities on 247Sports and Facebook resulted in unwarranted disclosure.
This case is one of many sounding alarms from the courthouse to Congress begging for legislators to address consumers’ claims by passing comprehensive federal data protections.