In a landmark decision on July 18, 2024, Judge Paul Englemayer of the Southern District of New York dismissed most charges in the SEC’s enforcement action against SolarWinds and its CISO, Timothy Brown. The court ruled that cybersecurity controls are not part of a company’s “system of internal accounting controls” under Section 13(b)(2)(B)(iii) of the Exchange Act, dismissing these claims. However, the court upheld charges that SolarWinds and Brown misled investors with public statements about their cybersecurity program. This case, stemming from the SUNBURST attack, highlights the importance of detailed risk disclosures and accurate public-facing statements on cybersecurity.

Cybersecurity threats and risks are increasing each day, and cybercriminals are getting more sophisticated in their attacks. Companies need to ensure that their data security measures keep up with ever-changing regulations and that they have protocols in place to deal with cyber threats, breaches, and ransomware attacks. Retail brands recognize that in an increasingly connected world, cybersecurity should remain a top priority.

On 8 October 2023, California Governor Gavin Newsom signed two bills into law amending the California Consumer Privacy Act. AB 947 classifies citizenship and immigration status as “sensitive personal information” subject to special protections under the CCPA, while AB 1194 strengthens reproductive privacy rights. Both bills carried the unanimous endorsement of the California Privacy Protection Agency. Details for each bill are described below followed by actionable guidance businesses can take to prepare now before these laws go into effect on 1 January 2024.