Through its announcement of settled charges against Pearson plc (Pearson) on August 16, 2021, the U.S. Securities and Exchange Commission signaled its continued, high level scrutiny of companies’ public statements related to data security incidents.1 Without admitting or denying the SEC’s findings, Pearson agreed to a cease and desist order (Order) and to pay a $1 million penalty.2 The SEC’s Pearson Order follows its June 2021 announcement that it had settled charges against First American Title Insurance Company (First American) for cybersecurity disclosure control failures.3 Together, the Pearson and First American actions underscore the SEC’s increasingly vigorous enforcement efforts on disclosure control violations related to cybersecurity issues, in particular vulnerabilities that expose sensitive customer information and data breaches.
I. Background to the SEC’s Order Against Pearson
According to the Order, Pearson learned in March 2019 that millions of rows of data had been accessed and downloaded from a company server by a threat actor exploiting an unpatched vulnerability. The software manufacturer had publicized the vulnerability as critical since September 2018, but Pearson did not implement the patch until it learned of the attack. The Order alleges that Pearson continued to use the server until July 2019 — the time the server was previously scheduled to be retired. Although Pearson created an incident management team and retained a third-party consultant to investigate the breach in March 2019, Pearson determined during its investigation that it was not necessary to disclose the incident. The Order alleges that on May 7, 2019, Pearson prepared a “reactive media statement” that Pearson intended to issue if it received a “significant media inquiry about the incident.”
The Order further alleges that on July 19, 2019, Pearson provided notice of the data breach to affected individuals but did not inform school administrators that their usernames and hashed passwords were exfiltrated, or that the affected accounts continued to be at risk after July 19, 2019.
On July 26, 2019, Pearson filed its Form 6-K with the SEC. The Order alleges that the filing’s risk disclosure implied that Pearson faced a risk that a breach could expose confidential information but did not disclose that Pearson had, in fact, discovered such a breach months earlier. This Form 6-K filing echoed prior filings indicating that no “major data privacy or confidentiality breach” had occurred.
On July 31, 2019, approximately two weeks following Pearson’s notice of the 2018 breach to affected customers, Pearson issued a statement — in response to a media inquiry — regarding the nature of the breach and the compromised data. The Order alleges that the statement incorrectly stated that “data was isolated to first name, last name, and in some instances may include date of birth and/or email address,” even though usernames and hashed passwords of school personnel were exfiltrated. The statement also stated that exfiltrated data “may include” certain data such as date of birth or email addresses, when Pearson knew that approximately 50% of the exfiltrated data contained dates of birth, and that a significant portion contained email addresses.
Following the filing of Pearson’s Form 6-K and the posting of its media statement, Pearson engaged in an ongoing offering of its ordinary shares under the company’s employee and management incentive plans. On August 1, 2019, one day after the publishing of Pearson’s media statement, Pearson’s stock price on the NYSE declined 3.3%.
II. Lessons Learned From the SEC’s Pearson Order
The Order provides significant insight for public companies’ disclosure regimes. Specifically, publicly traded companies should consider the following lessons as they work to improve their cybersecurity disclosure controls and programs.
- Assess all public statements — to regulators or otherwise — with adequate legal rigor prior to release. The Order held Pearson responsible both for misleading statements made in SEC Form 6-K disclosures and for publicly available media statements. Companies should bear in mind that the SEC is focused on all communications that may affect investor decision-making when evaluating the materiality of a breach. It is vital that media notifications align with the coordinated legal response. Pearson’s Form 6-K disclosure implied that no “major data privacy or confidentiality breach” had occurred, despite a known intrusion discovered months earlier. The media statement also was misleading and failed to include relevant facts about the exfiltration and exposure of data the company knew was compromised.
- Periodically review data security protocols and procedures. The SEC focused on several shortcomings in Pearson’s security protocols, which led to mismanagement of personally identifiable data, continued use of the compromised server, outdated password storage, and failure to patch a known critical vulnerability. With annual, if not more frequent, review and testing of cybersecurity policies and practices, companies can protect against accusations of programmatic failings that provide opportunities on which threat actors can capitalize.
- Coordinate data security protection and response across business functionalities in line with assessed risk. The SEC is focused not only on disclosures but also on whether companies’ data privacy protection protocols align with the critical nature of stored data and actual risk of compromise. If corporate assessments indicate a significant risk of data compromise to critical business assets, data security protocols should appropriately address these risks. Those risks should be assessed across business functionalities (e.g., legal, information technology, public relations). In Pearson’s case, the SEC determined that the breach at issue was material because the collection and storage of large quantities of private data on school-age children around the world was central to Pearson’s business model. In fact, Pearson’s Form 6-K filing even acknowledged that the company’s reputation and ability to attract and retain revenue depended in part on its ability “to adequately protect personally identifiable information.” In other words, the intrusion was an actualization of a significant risk that Pearson itself acknowledged in its Form 6-K.
2Pearson agreed to cease and desist from committing violations of Section 8A of the Securities Act of 1933 and Section 21C of the Securities Exchange Act of 1934.
3As noted in the June 24, 2021, Sidley Update on the First American action, the SEC is considering enhancing its disclosure rules concerning cybersecurity risk governance and has indicated a target release date of October 2021. See Cybersecurity Risk Governance, 3235-AM89, Securities and Exchange Commission (Spring 2021); SEC Announces Settled Charges Against First American for Cybersecurity Disclosure Controls Failures – Lessons Learned, Sidley Austin LLP (June 24, 2021) (discussing the SEC’s February 26, 2018, Commission Statement and Guidance on Public Company Cybersecurity Disclosures). See also Sidley Austin LLP, SEC Issues New Guidance on Cybersecurity Disclosure Requirements, Sidley Austin LLP (Mar. 2, 2018); Sidley Austin LLP, SEC Issues New Guidance on Cybersecurity Disclosure Requirements, Sidley Austin LLP (Mar. 2, 2018).