On August 16, 2021, the United States Securities and Exchange Commission (SEC) issued an Order announcing that it had imposed a civil penalty of $1 million on Pearson plc, a London-based multinational educational publishing and services company, for misleading investors about a 2018 data breach that involved the theft of millions of student records. Compromised data included user names, dates of birth and email addresses, among other data, thereby violating sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and section 13(a) of the Exchange Act of 1934 and Rules 12b-20, 13a-15(a) and 13a-16 thereunder. (In the Matter of Pearson plc, Release Nos. 10963 and 92676, August 16, 2021.) The SEC also ordered Pearson to cease and desist committing or causing any further such violations.
In ratifying to the SEC’s Order, Pearson neither admitted nor denied the SEC’s findings.
According to the SEC’s Order, in September 2018, Pearson had known for many months that the students’ personal information as well as that of school personnel had been accessed and downloaded by a threat actor using an unpatched vulnerability. That knowledge notwithstanding, Pearson did not deploy the publicly available patch until after the breach had occurred. Pearson also downplayed the impact of the data compromise.
At the time, Pearson’s 2019 semiannual report described a hypothetical data incident without disclosing that it, in fact, already had been breached. The relevant Form 6-K also “implied that no ‘major data privacy or confidentiality breach’ had occurred when Person knew months earlier about the … breach.”
In issuing the Order, Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit, reported that “[as] the [SEC’s enforcement] order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections.” The Order expanded on this comment, noting that Pearson’s processes and procedures in drafting its disclosure and a subsequent media statement were deficient. The SEC also found that Pearson had failed “to maintain disclosure controls and procedures designed to analyze or assess such incidents for potential disclosure in the company’s filings.”
This is not the first time the SEC has stepped into the breach, so to speak. Indeed, the agency has initiated a number of cybersecurity disclosure proceedings, including its nearly $500,000 fine in 2019 of real estate title insurance company First American and a $35 million settlement in 2018 to resolve allegations that Yahoo had failed to advise investors about a data breach. It also warned public companies in a 2018 report that they must adopt robust internal controls to detect cyber-threats in order to be compliant with governing SEC regulations.
In short, federal regulators, like their state counterparts, are keenly mindful of the impact of a privacy incident and see alternative paths to protect personal information and generate revenues for their governmental bodies. Pearson is just the latest example. In light of the SEC’s aggressive posture, we anticipate that there will be other proceedings against public companies.