The U.S. Securities and Exchange Commission this week took the rare step of penalizing a company for its allegedly poor disclosure of a cyber incident. The SEC announced a $1 million civil penalty against Pearson plc (“Pearson”), a London-based educational publishing company that is a U.S. securities issuer. The penalty resolves charges that Pearson misled investors related to a 2018 data breach.
In the wake of a hacking incident, corporate victims understandably can be tempted to share less and not more detail with the market; to disclose later rather than sooner; and to use the breach announcement to tout their data security commitments rather than just acknowledge their shortcomings. The SEC has shown this week that, when the facts warrant, it is prepared to call out such communications strategies as violations of the securities laws.
For What Did the SEC Fault Pearson?
According to the SEC’s Order, on March 21, 2019, Pearson learned that millions of rows of data had been accessed and downloaded by a threat actor exploiting an unpatched security vulnerability. The intrusion happened in 2018 and affected student data across 13,000 of Pearson’s accounts with schools and educational institutions in the United States. The data exfiltrated included school personnel usernames and hashed passwords, as well as student names, dates of birth and email addresses.
According to the SEC:
- Pearson failed to patch the vulnerability until March 2019, after Pearson learned of the breach, even though the patch was available, and Pearson received notice of this in September 2018.
- Pearson’s breach notifications to its customers, mailed on July 19, 2019, did not inform school administrators that their usernames and hashed passwords had been exfiltrated.
- Pearson filed with the SEC a Form 6-K covering the first six months of 2019 which merely posited a hypothetical data security risk, implying that no “major data privacy or confidential breach” had actually occurred.
- Pearson released a media statement on July 31, 2019 that allegedly was misleading for the following reasons: (1) it stated that the data was merely accessed or exposed when in reality it had been exfiltrated, (2) it misstated the type (and omitted the amount) of data that was exfiltrated, (3) the statement characterized the exfiltration of certain types of data as hypothetical, when Pearson knew those types of data had been exfiltrated, and (4) the statement represented that “[p]protecting our customers’ information is of critical importance to us” and that “strict data protections” were in place, even though Pearson failed to patch a known critical security vulnerability and was using an outdated hashing algorithm for password storage.
What Were the Legal and Financial Terms of the Resolution?
The SEC found that Pearson violated Sections 17(a)(2) and 17(a)(3) of the Securities Act, Section 13(a) of the Exchange Act and Rules 12b-20, 13a-15(a) and 13a-16 thereunder. These statutes and rules collectively require that (1) a person not be misled by way of untrue statements of a material fact or any omission in connection with the sale of securities, or through a fraudulent or deceptive scheme, and (2) issuers maintain controls and procedures to ensure that information is properly disclosed pursuant to the Commission’s rules. In sum, according to the SEC, Pearson violated the securities laws because it had repeatedly misled the public by omitting and misrepresenting important information.
In determining to accept Pearson’s offer of $1 million to settle the charges, the SEC considered Pearson’s cooperation with the Commission staff.
How Should Future Coroporate Breach Victims Handle Disclosure in Light of the Pearson case?
Companies that have been hacked often have good-faith reasons to say less and not more by way of public disclosure to avoid or delay disclosing specific details, particularly around data exfiltration (which can be forensically difficult to confirm), and to assure the public that strong cybersecurity measures have been in place (skilled hackers frequently being able to overcome even good defenses). The Pearson case suggests that the SEC will have little patience with this approach. Rather, the SEC seems to lean in favor of breach disclosures that are candid, timely, reasonably detailed and humble:
- Make to-the-point, timely disclosures. Breached companies should ensure that information released is factual, concrete and timely, taking care to acknowledge when events have actually taken place instead of characterizing them as hypothetical (including risk factor disclosure). In its press release on Pearson, the SEC asserted that both the company’s Form 6-K and an ensuing media statement were misleading in that they (1) obscured the fact that data had been exfiltrated and (2) represented that appropriate security measures had been in place. Additionally, the SEC seemed concerned that Pearson’s media statement was reactive instead of proactive.
- Have effective internal policies for vetting breach information. Companies should make sure they have effective controls in place so that disclosures can be both factually accurate and timely. In the case of a security breach, these controls may help to ensure that the individuals responsible for determining disclosure obligations are well informed. In one of its few prior enforcement cases on cyber disclosure, the SEC faulted First American for a corporate failure to ensure that information about a breach was timely made available to the senior executives responsible for disclosure matters.
- Do not overstate the merits of your cybersecurity program, especially if major issues remain unaddressed. The SEC emphasized that Pearson did not patch a critical software vulnerability, despite having notice of the vulnerability for months prior to the discovery of the breach. In addition, the SEC viewed Pearson’s assertions that it had “strict data protections in place” as misleading in light of its failure to patch a known, critical vulnerability. One takeaway is that the SEC seems to view breach disclosures as a means to convey information about what you might have done better and will do better in the future and that general statements about the strengths of your cybersecurity program should be made in a limited and careful manner, if at all.
We refer readers to our previous post on SEC cybersecurity priorities and our follow-up post on additional ways for companies to reduce regulatory risk. We are available to discuss the implications of the Pearson case with our clients and friends.
To subscribe to the Data Blog, please click here.
The authors would like to thank Debevoise law clerk David Wang for his contribution to this article.