In the agency’s latest move underscoring its emphasis on cybersecurity disclosure, the SEC has filed settled charges against the U.K. educational publishing and services company Pearson plc, alleging that the company misled investors about a 2018 data breach. The company, which neither admitted nor denied the charges, agreed to pay a $1 million civil money penalty. The administrative enforcement action, while not the first of its type, does highlight the agency’s heightened focus on cybersecurity disclosure issues. The agency’s August 16, 2021 cease and desist order can be found here. The agency’s August 16, 2021 press release about the order can be found here. Pearson’s statement about the proceeding can be found here.
In March 2019, Pearson learned that millions of rows of data relating to thousands of student and school officials had been accessed and downloaded by an intruder. Pearson investigated the incident, and on July 19, 2019, mailed a breach notice to customer account holders whose student and school officials’ data had been compromised.
On July 25, 2019, company officials met to discuss the incident and concluded that it was not necessary to issue a public statement regarding the breach. Instead, in a July 26, 2019 SEC filing on Form 6-K, the company repeated text from its previous 6-K filings to the effect that a “data privacy incident” could cause “damage to the customer experience and our reputational image, a breach of regulations and financial loss.” The SEC later alleged that in this way, the company “referred to a data privacy incident as a hypothetical risk, when, in fact, the 2018 cyber intrusion had already occurred.”
On July 31, 2019, the company received an inquiry from a reporter for a national media outlet pertaining to the data breach. In response to the inquiry, the company issued a previously drafted media statement, which the SEC later alleged was “misleading.” Among other things, the SEC later alleged that the media statement stated that the breach may include dates of birth and email addresses, when, “in fact, it knew that such records were stolen.” The media report also state that the company had “strict protections in place” when, “in fact, it failed to patch the critical vulnerability for six months after it was notified.”
The agency also later alleged that the media statement “omitted that millions of rows of student data and usernames and hashed passwords were stolen.” The agency also alleged that the company’s “disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach.”
The agency’s August 16, 2021 cease and desist order recited that, in anticipation that the agency was about to file administrative proceedings, submitted an Offer of Settlement, which the agency accepted. Among other things, the company agreed to take certain remedial steps and pay a $1 million civil money penalty, while at the same time neither admitting nor denying the agency’s allegations.
As I noted above, the cease and desist proceeding against Pearson is not the SEC’s first cybersecurity related enforcement action. For example, as discussed here, in April 2018, the SEC agreed with Altaba, Yahoo’s successor in interest, to settled charges related to disclosures surrounding Yahoo’s massive data breach. In addition, this action against Pearson follows close on the heels of the agency’s June 2021 settled administrative proceeding against the title insurer First American Financial Corp., as discussed here.
But while this proceeding against Pearson is not the SEC’s first cybersecurity-related enforcement action, it does underscore that cybersecurity-related disclosure issues are an important agency priority and that the agency is prepared to take actions relating to cybersecurity disclosures. The agency’s press release underscores the priority the agency is giving to cybersecurity disclosure issues; the press release quotes the chief of the enforcement division’s cyber unit as saying “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
The agency’s press release helps explain why it targeted Pearson. The press release quotes the cyber unit chief as saying “Pearson opted not to disclose this breach to investors until it was contacted by the media, and even the Pearson understated the nature and scope of the incident and overstated the company’s data protections.”
The enforcement action and the company’s statements make it clear that the not only must companies be forthcoming in disclosing cybersecurity incidents to investors, but also makes it clear that in the agency’s view companies making cybersecurity disclosure must not soft-pedal bad news or overstate the level of the company’s cyber security defenses.
It is also important to note that among the shortcomings the agency alleged against Pearson is the allegation that the company had inadequate disclosure controls and procedures designed to ensure that those responsible for making disclosure determinations, as a result of which those responsible for making disclosure determinations was not informed of information about the breach circumstances. This allegation is very similar to the allegation in the agency’s recent action against First American Financial Corp., in which the agency alleged that the company lacked appropriate controls and procedures relating to cybersecurity disclosures.
In light of the allegations in this action and in the previous action against First American Financial Corp., it is clear that companies would be well advised to take steps to ensure that they have controls and procedures in place to ensure that the company’s cybersecurity disclosures meet the agency’s standards. In particular, based on the allegations against Pearson, it is important that the controls and procedures are designed to ensure that those responsible for disclosure determinations are fully informed about circumstances surrounding cybersecurity issues.
Predictions are always difficult, especially about the future, but I don’t think I am going out on a limb to predict that there likely will be further cybersecurity disclosure-related enforcement actions in the months ahead.