App Annie Settlement Signals Increased Scrutiny for Data Brokers by SEC

Data brokers beware, the Securities Exchange Commission (SEC) has signaled increased scrutiny into the data and privacy practices of technology-enabled companies in the financial services industry. On September 14, the SEC announced that it settled a securities fraud investigation into private technology company App Annie, Inc. and its former CEO and Chairman Bertrand Schmidt, in his private capacity, over alleged violations of Section 10(b) of the Securities Exchange Act and Rule 10b-5. The SEC alleged that App Annie and its CEO used disaggregated company confidential data collected from a subset of its customers to increase the accuracy of models and estimates App Annie sold to trading firm customers, who paid a subscription fee for the information.

To resolve the enforcement action, App Annie agreed to pay a $10 million fine based on the SEC's finding that it failed to exclude nonpublic confidential data from its estimates and models, while assuring trading firms that App Annie's use of confidential data complied with its customer agreements and federal securities laws. The SEC's cease and desist order also requires the CEO to pay $300,000 and prohibits him from serving as an officer or director of a publicly traded company for three years based on his knowledge and approval of App Annie's data privacy practices.

App Annie provides a free analytics product called "Connect" to companies, including publicly traded companies, that tracks important metrics, such as the number of app downloads, app revenue, and app usage. App Annie then takes these performance metrics and analyzes them to prepare statistical models and estimates, which it sells primarily to trading firms via a subscription to another App Annie product called "Intelligence." For publicly traded companies that derive revenue from app purchases and usage, these metrics could allow traders to predict a company's performance and revenue before a company files its financial statements with the SEC. The SEC fears that this "alternative data" is derived from nonpublic confidential company data that is material to a publicly traded company's financial performance and stock price (and provides traders using the "Intelligence" product an advantage).

According to the SEC, App Annie misrepresented to "Connect" product users that their data was confidential, and App Annie would only use "anonymized" or "aggregated" data when preparing statistical models to sell to "Intelligence" subscribers. Similarly, "Intelligence" product subscribers were told that App Annie's use of customer confidential data was consistent with its customer agreements and compliant with federal securities laws. Contrary to these public representations, the SEC found that App Annie did not anonymize or aggregate the data from "Connect" so that the information it gathered and sold could be more accurate and thereby more valuable to "Intelligence" subscribers. The SEC also found that the CEO knew that App Annie did not use anonymized or aggregated data when preparing its models and estimates and nevertheless approved the data practices.

The enforcement action is remarkable as the first of its kind in the "alternative data" space and is one of many enforcement actions by the SEC in recent months in the cybersecurity and data privacy space (e.g., the SEC recently announced three enforcement actions charging deficient cybersecurity practices). It is also an example of the SEC's shift to impose liability under federal securities laws against individual officers and directors of a company in connection with a company's deceptive practices.

One thing is clear - data processors, data aggregators, and companies providing or consuming alternative data are facing increased regulatory scrutiny. Given the current focus of the SEC (and other regulatory bodies), it is incumbent on companies in this space to:

• Ensure customer agreements accurately reflect the company's data practices and disclose the intended and permitted uses of confidential customer information;
• Document the company's data privacy policies, internal controls, and procedures;
• Develop a strong compliance program to manage regulatory risk and develop policies and practices that comply with changing laws and regulations; and
• Engage in periodic monitoring and testing to ensure that internal controls function as intended and policies and procedures are followed.

Troutman Pepper's regulatory team monitors developments like these as it counsels clients in the evolving landscape of cybersecurity and data privacy laws and regulations.