Careful—and truthful—reporting of a data breach should be a must for any company. But nowhere is this truer than for publicly traded companies. A recent Securities and Exchange Commission Order highlights how costly inaccuracies and omissions in reporting of data breaches may prove for publicly traded companies.
On August 16, 2021, the SEC announced a settlement with Pearson plc, a multinational, publicly traded educational publishing company based in the United Kingdom. Pearson trades on the London Stock Exchange under the ticker symbol PSON, and its American Depository Receipts are traded on the New York Stock Exchange under the ticker symbol PSO.
The SEC charged Pearson with making misleading statements and omissions about a 2018 data breach that involved the theft of student data and administrator log-ins of 13,000 school district and university customer accounts. Pearson agreed to pay $1 million to settle the SEC’s charges.
Pearson learned in March 2019 about a cyber intrusion that affected data stored on the server for its web-based product, AIMSweb 1.0. A “sophisticated threat actor” (read: hacker) accessed and downloaded school district personnel user names, passwords, and 11.5 million rows of student data, including birth dates and email addresses, in 2018. In September 2018, the software manufacturer had warned Pearson of a vulnerability in its software and made a patch available to Pearson. Pearson failed to download the software patch to fix the vulnerability until March 2019, when it confirmed the theft of the data.
Compounding its error, Pearson sent notice to the affected users in July 2019 in which Pearson failed to inform the users that their usernames and passwords had been stolen. That same month, in Pearson’s semi-annual SEC filings, Pearson termed the incident a “hypothetical risk,” despite knowing that the breach had actually occurred. Later, in a media statement, Pearson said the breach “may have” included student birth dates and email addresses, and touted its “strict protections” for data privacy—all despite knowing that it failed to patch the software vulnerability for months.
It’s not difficult to deduce why the SEC charged Pearson with violating the antifraud provisions of Sections 17(a)(2) and (a)(3) of the Securities Act of 1933, the reporting provisions of Section 13(a) of the Securities Exchange Act of 1934, among other violations. Pearson offered, and the SEC accepted, to pay a civil monetary penalty of $1 million. Pearson also agreed to cease and desist from any further violations of Sections 17(a)(2) and (a)(3).
The SEC’s Order came just over one year after a federal judge in the United States District Court for the Northeastern District dismissed a putative class action against Pearson, finding that the putative plaintiffs lacked standing to sue Pearson for the theft of the student email addresses. The court noted in its Order that the email addresses were “not sensitive enough to materially increase the risk of identity theft,” and thus, that the plaintiff’s argument that the personal data had been diminished is “too speculative to confer standing.”
While standing issues may enable publicly traded companies may be able to avoid plaintiff class actions—for now—in certain jurisdictions, the SEC’s Order makes it clear that the SEC is monitoring disclosures of data breaches closely. The Pearson Order demonstrates the critical importance of accurate disclosures of data breaches, both internally within companies, and then externally to the public at large. Pearson’s will not be the last of these Orders.