As I discussed in a post at the time (here), in August 2021 the SEC brought an cybersecurity-related disclosure enforcement action against UK educational publishing firm Pearson plc. In the following guest post, Paul Ferrillo, Daphne Morduchowitz and James Billings-Kang take a detailed look at the Pearson enforcement action and discuss the action’s implications. Paul and Daphne are partners and James is an associate at the Seyfarth Shaw law firm. I would like to thank the authors for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ article.
In a move sure to change the paradigm of when and what companies disclose in their securities law filings when it comes to data breaches, the U.S. Securities and Exchange Commission (“SEC”) recently assessed Pearson plc (“Pearson”) with a $1 million penalty for allegedly making material statements and omissions concerning its disclosure of a cybersecurity breach. While relatively small, the penalty is a potential wake-up call to businesses that no longer will the SEC turn a blind eye to a company’s omissions concerning data breaches, even if the breaches may appear to the issuer to be immaterial. Indeed, the SEC pursued violations against Pearson that did not require a finding of scienter, noting that negligence was sufficient to penalize Pearson. Further the SEC expansively defined “materiality” in the context of a data breach involving a compromise of large quantities of information that Pearson was responsible for protecting and lapses in the protection of that data.
In the Matter of Pearson plc is among a recent string of SEC administrative cases brought by the agency against a public company that was not alleged to have engaged in intentional misconduct, fraud, and the like. These examples should serve as a wake-up call that the SEC won’t let up on cybersecurity-related enforcement actions, even for negligent missteps. With the rise in cybercrimes and the sophistication of cybersecurity breaches, companies would fare better in strengthening not only their security measures but also their disclosure protocols to ensure that investors can weigh all information when making a securities decision.
London-based multinational publishing company Pearson offers school districts a digital tracker of students’ academic performance through its AIMSweb 1.0 platform. To function, this proprietary portal collects large amounts of highly sensitive personal data, including students and school administrators’ names, birthdays, email addresses, usernames, and passwords.
In its July 26, 2019 semiannual Form 6-K securities filing, Pearson indicated, just as it had in previous filings, that a “data privacy incident” was a principal risk that could possibly “result in a major data privacy or confidentiality breach causing damage to the customer experience and [Pearson’s] reputational damage.” The problem? That incident had already occurred. In fact, during the previous year, Pearson fell prey to an attacker that stole and exfiltrated student data and administrator login credentials of 13,000 school, district, and university customer accounts. Six months prior to the incident, Pearson received notification of a necessary security patch to avoid remote access to vulnerable servers, a patch that Pearson failed to utilize. Significantly, Pearson discovered this breach in March 2019 and was advised of the security patch in September 2018. In July 2019, Pearson management evaluated the incident and decided it was not material enough to warrant disclosure in its July 26th Form 6-K filing. One week before filing the Form 6-K, Pearson mailed a breach notice to approximately 13,000 customer accounts but interestingly did not inform the school administrators whose usernames and passwords had been downloaded by the attacker.
Upon learning of an upcoming media article describing the incident, Pearson released a July 31, 2019 media statement that explained the breach. Describing the attack as an “unauthorized access” that exposed names and possibly dates of birth and email addresses, the media statement did not indicate that, in fact, the breach resulted in the exfiltration of millions of rows of data, including undisclosed usernames and hashed passwords. Pearson also did not mention the known security patch it had failed to utilize prior to the incident and instead offered up the “sophistication” of its security protocols.
- SEC’s Framework and Ruling
In anticipation of an administrative proceeding, Pearson submitted an Offer of Settlement, agreeing to pay $1 million and to cease and desist from any future violations. The SEC accepted the Offer and issued its findings on August 16, 2021. The SEC maintained that only after a national media outlet had contacted Pearson about the cybersecurity breach did it finally disclose the incident and, even then, Pearson’s July 31, 2019 disclosure understated the nature and scope of the incident and overstated the company’s security protections. In particular, the SEC found Pearson’s Form 6-K misleading because it posed the breach as a hypothetical. Similarly, the media statement was misleading because, in the SEC’s view, it (1) described the breach as “unauthorized access” and “expos[ure] of data” despite the fact that the attacker actually downloaded and stole no insignificant amount of personally sensitive data, (2) failed to indicated that the attacker actually exfiltrated birthdates, email addresses, usernames, and hashed passwords, (3) did not identify the volume of data stolen, and (4) indicated that Pearson had “strict data protections in place . . . and [had] fixed the vulnerability” without noting that it had neglected to avail itself of the known security patch.
Though Pearson admitted to no wrongdoing, the SEC found that Pearson had violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 (the “Securities Act”), and Section 13(a) of the Securities Exchange Act of 1934 (the “Exchange Act”) (collectively with the Securities Act, the “Acts”), in addition to Rules 12b-20, 13a-15(a) and 13a-16 of the Exchange Act.
The antifraud provisions of sections 17(a)(2) and 17(a)(3) of the Securities Act (15 U.S.C. §§ 77q(a)(2), (a)(3)) prohibit the offering or sale of securities by means of material misstatements or omissions. Importantly, as the SEC recognized, the United States Supreme Court held in Aaron v. SEC, 446 U.S. 680, 685, 701–02 (1980) that a finding of scienter is unnecessary to adduce a violation of Sections 17(a)(2) and (a)(3) of the Securities Act; negligence is sufficient. To be sure, the SEC found that Pearson had disseminated material misstatements concerning the breach given that Pearson’s “reputation and ability to attract and retain revenue” relied in part on its protection of personally sensitive information and that the theft involved a significantly large volume of information. That is, cybersecurity measures are central to Pearson’s business. Regardless, scienter is an unnecessary element for the provisions at issue.
Under the reporting provisions of section 13(a) of the Exchange Act (15 U.S.C. § 78m(a)), a foreign issuer of security like Pearson must provide periodic reports to the SEC with information that is accurate and not misleading. Relatedly, Rule 12b-20 of the Exchange Act (17 C.F.R. § 240.12b-20, “Additional information”) mandates disclosure of any and all information to ensure that any statement captures all material information and does omit anything of significance.
Rule 13a-15(a), in turn, (17 C.F.R. § 240.13a-15, “Controls and procedures”) mandates that public companies have “disclosure controls and procedures” to provide in their security disclosures clear, timely, and robust assessments of cybersecurity risks and their impacts on the companies’ business. Senior executives should regularly consult with company information security personnel to ensure the effectiveness of not only the disclosure controls and procedures but also the lines of communication between the senior executives and the IT personnel, including internal reporting mechanisms. In other words, the buck stops with the high-level executives.. Indeed, controls and procedures are, in the words of the SEC’s 2018 investigative report, “best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”
As a result of the violations, Pearson agreed to cease and desist from any future violations and to pay a $1 million penalty. With the SEC’s attention towards boardroom oversight of cybersecurity risk, C-suite executives and their legal counsel should be well versed in the following three guidelines given the dearth of regulatory oversight: first, the 2011 Staff SEC Cybersecurity Guidance; second, the 2018 full SEC Commission Cybersecurity Guidance; and third, Delaware jurisprudence on good faith. In combination, these insights highlight the immeasurable harm wrought by cybersecurity threats and the need for (a) robust security controls and procedures, (b) escalation channels apprising C-suite executives and Boards of known cybersecurity risks and implications, and (c) disclosure mechanisms to inform investors of data-security incidences at companies.
It’s no secret that data security and cybersecurity risk disclosures are paramount to the SEC. A few weeks after his appointment as SEC Chairman, Gary Gensler remarked at the FINRA Annual Conference that cybersecurity enforcement remains a top priority for the SEC. In fact, just three weeks after Gensler’s remarks and two months before its ruling against Pearson, the SEC fined First American Financial Corporation (“First American”) $487,616 for violating the Exchange Act. Like Pearson, First American did not admit culpability. Most critical to this finding was that there was zero discussion of materiality or scienter; instead, the SEC homed in on Rule 13a-15(a) of the Exchange Act. In doing so, the SEC set forth only that First American failed to maintain robust controls and procedures to stave off and timely disclose a security breach. In other words, rather than pursuing violations of securities disclosure laws (like Sections 10 and 18 of the Exchange Act), the SEC lodged claims of disclosure controls violations to avoid a showing of scienter altogether. In First American’s case, the line of communication between its IT personnel team and its senior management was so tenuous that management was unaware of a known vulnerability in First American’s real-estate platform until it disclosed the issue in its securities filings.
Similarly, two weeks after its findings against Pearson, the SEC sanctioned eight firms in three actions for deficient cybersecurity procedures that failed to prevent email account takeovers. The SEC found that these firms violated the Safeguard Rule (Rule 30 of Regulation S-P, 17 C.F.R. § 248.30(a)) by neglecting to ensure the security and confidentiality of customer records and information and to protect against anticipated threats and unauthorized access to such records and information. As with First American, it was unnecessary to show a willful violation, i.e., a finding of scienter.
In the past, the SEC focused on the most egregious cases, ordinarily when there was a significant lapse in time between a breach and a company’s disclosure of that breach. No longer. Now, the SEC has ramped up its efforts to censure companies for committing violations even where there are no materially misleading actions, fraud, or intentional misconduct. Regardless of whether a company acted in good faith or with any intent to deceit, negligence will be enough to instigate an SEC investigation into data security and cybersecurity risk disclosures.