February 06, 2024

SEC鈥檚 SolarWinds Action Already Having Chilling Effect on Voluntary Cyber Disclosures, John Carlin Tells 麻豆视频 Counsel, Reuters, Law360

Practices & Industries

View Related Practices & Industries

Lawyers

Cybersecurity & Data Privacy Co-Chair John Carlin spoke with 麻豆视频 Counsel, Reuters and Law360 about the recent amicus brief filed on behalf of 21 former cybersecurity government officials in the SEC鈥檚 landmark enforcement action against software company SolarWinds and its Chief Information Security Officer.

The brief, which includes John and Melinda Haag, all former senior DOJ officials, as amici, urges the judge in the SEC case in the Southern District of New York to carefully evaluate how enforcement actions such as this one may disincentivize companies from sharing critical cybersecurity information with government authorities.

John, who is also counsel for the amici, notes that he鈥檚 already seeing corporate security chiefs expressing hesitancy to report cybersecurity incidents because of the case.

鈥淚鈥檝e had instances where they鈥檙e having incidents, and we suggest it would be good to voluntarily share, and they鈥檙e saying they鈥檙e not going to do so because they鈥檙e afraid of it being used against them later,鈥 John tells 麻豆视频 Counsel in 鈥淓x-Officials Fret Hacked Firms, Fearing Legal Liability, Will Keep Law Enforcement in Dark.鈥

鈥淎t minimum, it鈥檚 slowing some down while they consult with in-house counsel,鈥 he adds.

John warns in Reuters鈥 鈥淪olarWinds鈥 supporters blast US SEC's 鈥榗hilling鈥 lawsuit over cyberattack鈥 that pushing companies to disclose incident information before they have a handle on it is often more harmful than helpful.

鈥淎 regime that incentivizes early detailed public disclosure of vulnerability information, along with information detailing a company鈥檚 security posture, can actually damage law enforcement investigations, provide a roadmap to aid threat actors and make companies less safe,鈥 he says.

In Law360鈥檚 鈥淪EC's SolarWinds Suit May Chill Disclosures, Ex-Officials Say,鈥 John notes that 鈥減ublic disclosure is not a substitute for, and must not come at the expense of, voluntary confidential sharing of more detailed information with the agencies tasked with combatting cyber threats, who have the right set of technical tools and legal authority to take effective action.鈥



Related Insights

Trump’s New Cyber Executive Order Preserves Many Cyber Initiatives, Rolls Back Security Requirements for Contractors, and Changes Cyber Sanctions Regime
Cybersecurity & Data Protection

June 12, 2025

Trump鈥檚 New Cyber Executive Order Preserves Many Cyber Initiatives, Rolls Back Security Requirements for Contractors, and Changes Cyber Sanctions Regime
John Carlin to Present Crisis Management “War Game” at NACD New England Event
Cybersecurity & Data Protection

June 10, 2025

John Carlin to Present Crisis Management 鈥淲ar Game鈥 at NACD New England Event
Caution Is Key Under New U.S. Data Security Program, John Carlin Tells Lexology Pro
Cybersecurity & Data Protection

May 05, 2025

Caution Is Key Under New U.S. Data Security Program, John Carlin Tells Lexology Pro