Amid urgent national security, cybersecurity and data privacy threats, companies require deeply experienced counsel to respond strategically to potentially crippling data incidents, so they can get back to business. Led by the nation’s leading legal advisors on national security and data-related regulatory matters, we help boards and top executives safely navigate high-impact breaches and related cyber incidents, and offer specialized regulatory advice in the transactional and compliance contexts.
SEC’s SolarWinds Action Already Having Chilling Effect on Voluntary Cyber Disclosures, John Carlin Tells Corporate Counsel, Reuters, Law360
February 6, 2024
Cybersecurity & Data Privacy Co-Chair John Carlin spoke with Corporate Counsel, Reuters and Law360 about the recent amicus brief filed on behalf of 21 former cybersecurity government officials in the SEC’s landmark enforcement action against software company SolarWinds and its Chief Information Security Officer.
The brief, which includes John, Jeannie Rhee and Melinda Haag, all former senior DOJ officials, as amici, urges the judge in the SEC case in the Southern District of New York to carefully evaluate how enforcement actions such as this one may disincentivize companies from sharing critical cybersecurity information with government authorities.
John, who is also counsel for the amici, notes that he’s already seeing corporate security chiefs expressing hesitancy to report cybersecurity incidents because of the case.
“I’ve had instances where they’re having incidents, and we suggest it would be good to voluntarily share, and they’re saying they’re not going to do so because they’re afraid of it being used against them later,” John tells Corporate Counsel in “Ex-Officials Fret Hacked Firms, Fearing Legal Liability, Will Keep Law Enforcement in Dark.”
“At minimum, it’s slowing some down while they consult with in-house counsel,” he adds.
John warns in Reuters’ “SolarWinds’ supporters blast US SEC's ‘chilling’ lawsuit over cyberattack” that pushing companies to disclose incident information before they have a handle on it is often more harmful than helpful.
“A regime that incentivizes early detailed public disclosure of vulnerability information, along with information detailing a company’s security posture, can actually damage law enforcement investigations, provide a roadmap to aid threat actors and make companies less safe,” he says.
In Law360’s “SEC's SolarWinds Suit May Chill Disclosures, Ex-Officials Say,” John notes that “public disclosure is not a substitute for, and must not come at the expense of, voluntary confidential sharing of more detailed information with the agencies tasked with combatting cyber threats, who have the right set of technical tools and legal authority to take effective action.”
» read the Corporate Counsel article
» read the Reuters article
» read the Law360 article