Editor's note: Authored by Nicolas Dumont, this article was originally published in Law360.
In mid-September, the U.S. Securities and Exchange Commission announced that it had brought and settled charges against App Annie and its co-founder and former CEO and chairman, Bertrand Schmitt.
According to the SEC, App Annie's failure to adequately disclose how it generated app performance data misled traders that purchased the information. The SEC alleged violations of Section 10(b) of the Securities Exchange Act and Rule 10b-5 thereunder.
App Annie is one of the largest providers of mobile app performance data. It sells market data about companies' mobile apps, such as how many times an app is downloaded, how often it is used, how much revenue it generates and other competitive information. Hedge funds and other trading firms refer to this information as alternative data because it is not included in a company's financial statements or other traditional data sources.
The alternative data market has exploded in recent years as companies seek ways to extract and market data from various emerging sources, including email, mobile devices, social media sites, sensors, Internet of Things-based devices, satellites and e-commerce portals. The data is commonly used by trading firms to identify patterns and insights, and gain market intelligence and advantage.
In a narrow sense, App Annie is a warning about the importance of good data governance for all companies that collect data — especially alternative data providers — but its implications are potentially broader.
For the first known time outside the context of broker-dealer and registered investment adviser exams, the SEC has drawn attention to the pervasiveness of alternative data in our financial markets, and its possible dangers. The SEC has demonstrated that it will use its enforcement powers to regulate alternative data practices by all entities that interact with the financial markets, not just those over which it has direct supervisory authority.
This scrutiny may one day extend to the subjects of alternative data themselves. That risk is particularly high for U.S. public companies. To date, alternative data generally receives little attention by public company management and boards of directors.
But as the importance and reach of alternative data methods grow and evolve, so too must the practices, policies and vigilance of publicly traded companies. Boards of directors, senior management, data compliance and disclosure personnel should become familiar with alternative data.
It is challenging to make broad recommendations with respect to an industry that is rapidly evolving. Still, U.S. public companies should consider implementing the following alternative data practices in light of App Annie:
Assess alternative data imprint;
Enhance data controls and procedures;
Strengthen board-level governance of alternative data;
Ensure consistency between alternative data and financial reporting; and
Consider how to use alternative data to enhance reporting.
1. Assess your alternative data imprint.
The first step of any public company's alternative data strategy should be to evaluate its data imprint, and consider how its externally perceivable data is, or could be, used. The task is daunting since there are many unknowns about how alternative data is ultimately analyzed and processed by hedge funds or other institutions.
Moreover, the alternative data industry is new and rapidly evolving, and guards its secrets and methods. Since there are uses of data that cannot be predicted, companies should adapt to a known-unknowns paradigm in assessing their alternative data.
Key questions could include: What information is your company routinely displaying on the internet? Who might have access to that information? How could it be used and interpreted by alternative data providers or aggregators? What is legitimately in the public domain, and what is not meant to be?
In short, assess and identify what information has been produced by the company expressly for analysis by the public, such as press releases and financial reports, and what may not have been intended for public analysis, such as visits to company websites, or analysis of job postings that may reveal activity or strategic focus.
Note that a large part of a company's alternative data may be produced by external entities that access data provided by the company's public and financial reporting functions. Anytime the company acts outside its organization or interacts with a third party, consider how this behavior could be used or perceived for alternative data analysis purposes.
For example, sales and marketing may publish statistics or stories for thought leadership or branding purposes that can be used by alternative data providers to develop insight into performance. Posts of job opportunities to LinkedIn or other services could likewise grant insights into where and how a company is growing or anticipates growth.
2. Assess and enhance data controls and procedures.
Much like accounting policies and procedures that are designed to combat financial fraud, companies should design and implement policies to facilitate analysis of alternative data and to enable management to assess and reinforce protective measures with respect to data.
Companies are not merely the stewards of capital, but information — perceived or real — that must be managed. Data controls and procedures should enable a company to understand what information regarding it or its legitimate interests is publicly available, and how that information can be used by others.
Concrete protective measures may include software and legal protections for unintended use cases, such as better firewalls and strengthened terms-and-conditions that could be enforced in the event that the unintentional appropriation of information for noncriminal purposes is possible.
The rise of alternative data suggests that even though certain information is required to be disclosed with the SEC, potentially all data is market moving, or at least in part determinative of asset pricing. As a result, companies should exercise caution when selling or giving their own information to data aggregators who routinely pay and solicit companies for data.
It is challenging to determine or predict how that information might ultimately be used. Due diligence should be conducted on such vendors to determine what policies and procedures apply to data they receive. Such practices may also raise concerns as to disclosure of material nonpublic information, or disclosure for Regulation Fair Disclosure purposes.
3. Strengthen board-level governance.
What is the proper role of the board with respect to alternative data? The audit committees of most public reporting companies in the U.S. are already significantly burdened. Audit committees should remain focused on financial reporting and output, and the means by which financial data and transactions are translated into audited financial statements through interpreted accounting rules.
A newly formed data committee — or data and risk committee — might instead be an appropriate place to house the important function of understanding the range of alternative data available and its public use. Just as financial statements are reviewed and approved by public company audit committees, data and risk committees could be required to work with existing disclosure committees to review public statements and consider how that output relates to other available data.
Data and risk committees could also be tasked with defensively monitoring controls and protection guidelines for data in anticipation of a breach, and monitor and address disinformation initiatives or other malicious behavior.
This committee could also advise with respect to social media activity, formulate policies and procedures to advise management when breaches occur, address legal requirements as they apply to personally identifiable information and other forms of data, and design responses to ransomware attacks or hacking.
Like other standing board committees of U.S. public companies, data and risk committees should be given access to the resources needed to complete their mission, including consultation with outside advisers, and discretion to advise management to devote additional resources to alternative data issues.
4. Ensure consistency between alternative data and financial reporting.
Analysis of alternative data, or artificial intelligence native processes such as natural language processing, can capture differences between publicly reported data, including financial reports, and other data that companies disclose intentionally or unintentionally.
Investors who can gain insights through analysis of those differences may be able to achieve trading advantages. Alternative data could be particularly useful when it reveals historical performance or future trends more accurately than an issuer has otherwise disclosed through periodic reporting.
As a legal matter, companies offering securities, or issuers with securities registered under the Securities Exchange Act, owe investors and regulators financial disclosure that fairly represents their condition. As an underlying principle of market fairness and efficiency, that information should be provided so as not to grant sophisticated investors better insights into corporate performance than is available to retail investors or management itself.
As a result, issuers should strive to identify, and subsequently diminish, any variability between the result or potential result of analyzing alternative data, and financial reports.
For example, issuers could expose themselves to liability should financial statements suggest that in-store sales have risen from quarter to quarter, yet satellite or other imagery indicates otherwise. Issuers could also consider using sentiment and deception scoring through natural language processing to identify differences between the tone of public reports and any other statements made to the public.
5. Consider how to use alternative data to enhance reporting.
As a corollary to identifying differences between financial reports and alternative data, a company should consider how to leverage alternative data to inform legal risk analysis and public company reporting.
For example, a company should consider whether information regarding its web activity could be used to identify risks to the company that should be addressed by management and disclosed to the investing public.
Controls and procedures as currently defined under U.S. securities laws are designed to address the legacy of Enron and other accounting scandals.
Through a combination of board independence and committee rules and responsibilities, auditors who are regulated by the Public Company Accounting Oversight Board and lawyers who are responsible in part to the SEC, the law endeavors to ensure that financial transactions and data are reported accurately.
To date, these initiatives appear to have been largely successful in avoiding widespread accounting fraud in the U.S. capital markets. With these guardrails in place, the next great source of informational risk to U.S. public companies is likely to come from elsewhere.
Alternative data, if not assessed and managed properly, could very well be that source. Its proliferation calls for increased vigilance by boards of directors and management.
 The SEC's Division of Examination's 2021 Examination Priorities for regulated entities such registered investment advisers and broker-dealers include alternative data. The SEC announced its intention to examine in particular whether firms "are implementing appropriate controls and compliance around the creation, receipt, and use of such information." (https://www.sec.gov/files/2021-exam-priorities.pdf).