Enforcement News: SEC Charges British Publisher With Issuing False Statements About a Data Breach

• Posted on: Aug 18 2021

By Jeffrey M. Haber

Cybersecurity disclosures are important for a number of constituencies. For example, consumers have a right to know if their data has been compromised at the company in which they do (or have done) business. Investors have a right to know if the company in which they have invested, or will invest, is the victim of a data breach and how such a breach has impacted (or will impact) the company’s business and operations. 

As cybersecurity breaches become more common, the Securities and Exchange Commission (“SEC”) has made the disclosure of such matters an important focus of its work. In this regard, the Commission has ordered companies to cease and desist from making false and misleading statements about their cybersecurity efforts and their efforts to address any data breaches. 

Two days ago, on August 16, 2021, the SEC announced (here) that it settled charges against Pearson plc, a London-based public company that provides educational publishing and other services to schools and universities, for allegedly misleading investors about a 2018 data breach involving the theft of millions of student records, including dates of births and email addresses (the “2018 Data Breach”).  

In the order (here), the SEC found that Pearson made misleading statements and omissions about the 2018 Data Breach – an intrusion that involved the theft of student data and administrator log-in credentials of 13,000 school, district and university customer accounts. According to the SEC, in its semi-annual report, filed in July 2019, Pearson referred to a data privacy incident as a hypothetical risk, when, in fact, said the SEC, the 2018 Data Breach had already occurred. In addition, alleged the SEC, in a July 2019 media statement issued after the company had been contacted by a media outlet about the data intrusion, Pearson stated that (a) the breach may include dates of births and email addresses, when, in fact, it knew that such records were stolen, and (b) Pearson had “strict protections” in place, when, in fact, it failed to patch the critical vulnerability for six months after it was notified. The media statement also allegedly omitted that millions of rows of student data and usernames and hashed passwords were stolen. 

Finally, the SEC found that Pearson’s disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach.

“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”

According to the SEC, Pearson violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Exchange Act of 1934 and Rules 12b-20, 13a-15(a), and 13a-16 thereunder. Without admitting or denying the SEC’s findings, Pearson agreed to cease and desist from committing violations of these provisions and to pay a $1 million civil penalty.

Jeffrey M. Haber is a partner and co-founder of Freiberger Haber LLP.

This article is for informational purposes and is not intended to be and should not be taken as legal advice.