News & Trends

The SEC’s Latest Salvo On Cybersecurity Disclosures: A $1 Million Penalty And Cease & Desist Order – Technology



United States:

The SEC’s Latest Salvo On Cybersecurity Disclosures: A $1 Million Penalty And Cease & Desist Order

23 August 2021

Wilson Elser Moskowitz Edelman & Dicker LLP

To print this article, all you need is to be registered or login on

On August 16, 2021, the United States Securities and Exchange
Commission (SEC) issued an Order announcing that it had imposed a
civil penalty of $1 million on Pearson plc, a London-based
multinational educational publishing and services company, for
misleading investors about a 2018 data breach that involved the
theft of millions of student records. Compromised data included
user names, dates of birth and email addresses, among other data,
thereby violating sections 17(a)(2) and 17(a)(3) of the Securities
Act of 1933 and section 13(a) of the Exchange Act of 1934 and Rules
12b-20, 13a-15(a) and 13a-16 thereunder. (In the Matter of
Pearson plc, Release Nos. 10963 and 92676, August 16, 2021.)
The SEC also ordered Pearson to cease and desist committing or
causing any further such violations. 

In ratifying to the SEC’s Order, Pearson neither admitted
nor denied the SEC’s findings. 


According to the SEC’s Order, in September 2018, Pearson
had known for many months that the students’ personal
information as well as that of school personnel had been accessed
and downloaded by a threat actor using an unpatched vulnerability.
That knowledge notwithstanding, Pearson did not deploy the publicly
available patch until after the breach had occurred. Pearson also
downplayed the impact of the data compromise. 

At the time, Pearson’s 2019 semiannual report described a
hypothetical data incident without disclosing that it, in fact,
already had been breached. The relevant Form 6-K also
“implied that no ‘major data privacy or confidentiality
breach’ had occurred when Person knew months earlier about
the … breach.” 

In issuing the Order, Kristina Littman, Chief of the SEC
Enforcement Division’s Cyber Unit, reported that
“[as] the [SEC’s enforcement] order finds, Pearson opted
not to disclose this breach to investors until it was contacted by
the media, and even then Pearson understated the nature and scope
of the incident, and overstated the company’s data
protections.” The Order expanded on this comment, noting that
Pearson’s processes and procedures in drafting its disclosure
and a subsequent media statement were deficient. The SEC also found
that Pearson had failed “to maintain disclosure controls and
procedures designed to analyze or assess such incidents for
potential disclosure in the company’s


This is not the first time the SEC has stepped into the breach,
so to speak. Indeed, the agency has initiated a number of
cybersecurity disclosure proceedings, including its nearly $500,000
fine in 2019 of real estate title insurance company First American
and a $35 million settlement in 2018 to resolve allegations that
Yahoo had failed to advise investors about a data breach. It also
warned public companies in a 2018 report that they must adopt
robust internal controls to detect cyber-threats in order to be
compliant with governing SEC regulations. 

In short, federal regulators, like their state counterparts, are
keenly mindful of the impact of a privacy incident and see
alternative paths to protect personal information and generate
revenues for their governmental bodies. Pearson is just the latest
example. In light of the SEC’s aggressive posture, we
anticipate that there will be other proceedings against public

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

New York Cracks Down On Cybersecurity Compliance

Wilson Elser Moskowitz Edelman & Dicker LLP

In 2021, the New York Department of Financial Services (NYDFS) is cracking down on companies that fail to comply with the Cybersecurity Regulations set forth in 23 NYCRR Part 500…

FINRA Cautions Firms On Outsourcing

Cadwalader, Wickersham & Taft LLP

FINRA reminded firms of their obligation to maintain a sufficient supervisory system for activities outsourced to third-party vendors.

Settlement In Plaid Fintech Data Case

Proskauer Rose LLP

On August 5, 2021, a proposed class action settlement was reached in the closely-watched privacy action against fintech services company Plaid Inc.

Crypto, Meet ESG; ESG, Meet Crypto

Katten Muchin Rosenman LLP

The blockchain technology that powers cryptocurrency originated in an obscure white paper, anonymously published under the name Satoshi Nakamoto in 2008…

Click to View Original Source

You may also like