Appreciating burden of proof and what remains in the SolarWinds case

Importantly, for public companies, the key is not what the judge dismissed from the case, but what the judge allowed to survive.

On July 18, 2024, the Judge presiding over Securities and Exchange Commission v. Solarwinds Corp. & Timothy G. Brown, Case No. 23-cv-9518 (S.D.N.Y.) (hereinafter “Solarwinds”) issued an Opinion and Order on Defendants’ Motion to Dismiss, which involve familiar securities statutory and regulatory grounds. In Solarwinds, the SEC alleged that the company and its vice president in charge of its information security were responsible for two categories of deficient disclosures related to the December 2020 large-scale cyberattack (SUNBURST). The first category, which the Court termed “pre-SUNBURST” is concerned with disclosures to the market about its cybersecurity compliance before the cyberattack. The second category, “post-SUNBURST” is specific to disclosures to the market after the attack. In its Order, the Court dismissed the post-SUNBURST causes of action.

“As to the pre-SUNBURST disclosures, the Court sustains the SEC’s claims of securities fraud based on the company’s Security Statement. That statement is viably pled as materially false and misleading in numerous respects.” Solarwinds, p. 3. SolarWinds customers included 499 companies within the Fortune 500, which includes notable companies such as UnitedHealth Group, HCA Healthcare, and McKesson. And, as the Court articulated,

In late 2017, without fixing its known cybersecurity problems, SolarWinds decided to post a “Security Statement” on the “Trust Center” section of its website. Brown was primarily responsible for creating and approving the Security Statement. … The Security Statement aimed to provide SolarWinds’ customers with ‘more information about [its] security infrastructure and practices.’ Solarwinds, p. 6 (emphasis added).

This aspect of Solarwinds is material not only to public companies, but it translates to the health care sector in general and to privacy and security obligations under the Health Insurance Portability and Accountability Act of 1996 and the related rules and regulations (HIPAA). In general, HIPAA requires that covered entities and business associates alike utilize adequate technical, administrative, and physical safeguards to protect the confidentiality, integrity, and availability of protected health information (PHI) and electronic health information (EHI). As the U.S. Department of Health and Human Services Enforcement Actions and the U.S. Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act case settlements involving cybersecurity, electronic health records, and related healthcare laws have demonstrated, making false statements about compliance is material both under the False Claims Act and as defined in securities laws and regulations, including the SEC’s Cybersecurity Final Rule (89 Fed. Reg. 51896 (Aug. 4, 2023)).

So, what is next in Solarwinds now that the Fed. R. Civ. P. 12(b)(6) motion was addressed by the Court? Knowing that the pre-SUNBURST claims survived and will move forward, the SEC and the defendants will continue motion practice and move forward with trial. The burden of proof which must be met various with different convictions and judgements. Since this is not a criminal case, the “beyond a reasonable doubt” standard, which is the highest level of evidentiary standard, does not apply. The middle level of proof is “clear and convincing evidence”, which is a more rigorous standard than the “preponderance of the evidence” standard. In Solarwinds, the evidentiary standard that the court will apply is the “preponderance of the evidence” which essentially requires the SEC to prove a proposition by demonstrating that the proposition is more likely true than not true.

In sum, this is one to watch but not in a vacuum, as the Federal Trade Commission, DOJ, and HHS have other tools at their disposal which have been successfully deployed.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.