The SEC announced this week that it has charged mobile app industry data provider App Annie and its founder Bertrand Schmitt with securities fraud for "deceptive practices and making material misrepresentations about how App Annie's alternative data was derived."
App Annie's data has been used widely across a number of industries and can be found cited in hundreds of news reports. The company agreed to settle the charges for more than$10 million, according to the SEC.
The SEC said it was their first time charging an alternative data provider with securities fraud. App Annie will pay$10 million, and Schmitt will pay$300,000. He is also barred from serving as an officer or director of a public company for three years.
Gurbir Grewal, director of the SEC's Enforcement Division, said federal securities laws prohibit deceptive conduct and material misrepresentations in connection with the purchase or sale of securities.
"App Annie and Schmitt lied to companies about how their confidential data was being used and then not only sold the manipulated estimates to their trading firm customers but also encouraged them to trade on those estimates -- often touting how closely they correlated with the companies' true performance and stock prices," Grewal said.
App Annie is accused of lying to companies about how they aggregated and used market data. As one of the biggest sellers of data on mobile app performance, App Annie assured companies sharing their data with them that App Annie would not disclose their information to third parties or disseminate the data without aggregating and anonymizing it first.
"Contrary to these representations, the order finds that from late 2014 through mid-2018, App Annie used non-aggregated and non-anonymized data to alter its model-generated estimates to make them more valuable to sell to trading firms", the SEC said.
"The order further finds that App Annie and Schmitt misrepresented to their trading firm customers that App Annie generated the estimates in a way that was consistent with the consents it obtained from companies that shared their confidential data and that App Annie had effective internal controls to prevent the misuse of confidential data and to ensure that it was in compliance with the federal securities laws."
App Annie knew trading firms made investment decisions based on the data and estimates the company produced and even went so far as to share ideas with trading firms on how their data could be used ahead of upcoming earnings announcements.
SEC San Francisco Regional Office director Erin Schneider added that App Annie went to great lengths to assure its customers that the financial and app-related data it sold was the product of a sophisticated statistical model. It had controls to ensure compliance with the federal securities laws.
"These representations were materially false and misleading," Schneider said.
While the SEC order said the company violated certain anti-fraud provisions, the company was allowed to agree to a cease-and-desist order without admitting or denying the charges.
In a statement, App Annie said that in response to the investigation and charges, it has appointed a new CEO and executive team, implemented changes to how it builds data estimates and created procedures "to ensure the exclusion of all confidential public company data from the process of generating market data estimates."
App Annie CEO Theodore Krantz told ZDNet, "Many businesses may be unknowingly leveraging data reliant on confidential public company information without explicit consent, which we believe puts companies using digital/mobile market data at significant risk. It is our opinion that the entire alternative data space needs to be regulated," Krantz said.
John Bambenek, the principal threat hunter at Netenrich, said the case represented one of the biggest risks that exist today, in that there is no way to guarantee a third party is not misusing data.
He noted that the fine would not hurt App Annie overall and explained that getting bulk data on consumer behavior is a big business.
"The dollars involved ensure that organizations will play fast and loose with data and privacy protection until there is more robust enforcement and regulation," Bambenek said.
"The only reason this action took place is they misused corporate information, and unlike consumers, they have resources to fight back."