Excerpt from JDSupra Article – Published on Feb 13, 2024

In a recent episode of the Life with GDPR podcast, experts Tom Fox and Jonathan Armstrong, from Cordery Compliance, delved into the complex landscape of corporate responsibility and data protection risks, with a spotlight on the SolarWinds case.

Following the 2020 data breach, the Securities and Exchange Commission (SEC) filed a lawsuit against SolarWinds Corp. and its Chief Information Security Officer (CISO), Tim Brown, in late 2023. This legal action underscored the pressing issue of executive liability in cybersecurity disclosures, raising pertinent questions about accountability under US securities law. The breach, attributed to Russian hackers, targeted SolarWinds’ Orion software, compromising highly sensitive data and infiltrating systems across government agencies and major corporations. SolarWinds inadvertently propagated the breach by distributing a compromised software update to its corporate clientele.

Central to the SEC’s lawsuit were allegations of inadequate disclosures regarding SolarWinds’ information security practices from 2018 to 2020. Internal communications revealed a discrepancy between public assertions of robust cybersecurity and internal acknowledgments of systemic vulnerabilities, forming the crux of the SEC’s claims. The episode underscored the imperative for corporate leaders, including CISOs, Data Protection Officers, and Compliance Officers, to promptly disclose data breaches. Despite GDPR offering some protection to data protection officers, the SolarWinds case serves as a stark reminder of the need for transparent breach disclosures and vulnerability mitigation strategies.

Beyond regulatory fines, litigation risks loom large for organizations, with shareholders and whistleblowers potentially pursuing legal action over data breaches. The discussion emphasized the ramifications of misrepresenting information to regulators and the necessity of proactive vulnerability management amidst budget constraints. Consideration of the impact on stock exchange filings is paramount when deciding on breach disclosures, particularly in transactions like mergers and acquisitions. Transparency, integrity, and careful communication within organizations are emphasized as foundational principles in data protection and privacy.

The potential for litigation underscores the importance of maintaining a culture of transparency and integrity within organizations. Shareholders and whistleblowers may seek legal recourse if they perceive adverse impacts on stock value or regulatory compliance. In conclusion, the SolarWinds incident underscores the interconnected nature of GDPR compliance, corporate accountability, and data protection. Prioritizing transparency, honesty, and timely breach disclosures, alongside proactive vulnerability management and adequate insurance protection, are imperative for navigating the complexities of data protection and privacy in the GDPR era.

To delve deeper into this topic, please read the full article in JDSupra.