by Avi Gesser, Charu Chandrasekhar, Eric Silverberg, Mengyi Xu, and Adrian Gonzalez
As part of our ongoing series on enforcement actions by the Securities and Exchange Commission (“SEC”) in data- and cybersecurity-related matters (here, here, and here), we have been closely tracking regulatory developments and gathering insights on enforcement trends. Last week, the SEC announced that App Annie and its former CEO and Chairman, Bertrand Schmitt, (“App Annie”) had agreed to a $10.3 million payment to settle charges for engaging in fraudulent practices and making material misrepresentations about its data use from 2014 to 2018 (the “Relevant Period”) in violation of Section 10(b) of the Securities Exchange Act of 1934 (“Exchange Act”) and Rule 10b-5 thereunder (“SEC Order”). Although not explicitly articulated in the SEC Order, the SEC’s basis for jurisdiction was ostensibly the fact that the app aggregated public company data. This is the SEC’s first enforcement action against an alternative data provider. As was the case in the BlueCrest settlement late last year, the App Annie enforcement action underscores the importance of making accurate disclosures regarding data collection and use, and the regulatory risk for companies that do not follow their data policies and procedures.