SEC Cybersecurity Enforcement Action Underscores Why Cybersecurity Whistleblower Disclosures Should be Protected under SOX
There is mixed authority on whether the Sarbanes-Oxley whistleblower protection law protects disclosures about inadequate cybersecurity. Last year, in an unpublished decision, the Third Circuit held that SOX does not protect disclosures about information security vulnerabilities. In that case, the employee identified and pressed for the resolution of concerns about access authorization and server stability. At trial, he argued that he reasonably believed those concerns evidenced an undisclosed material weakness in internal controls and could have led to inaccurate financial reporting, in violation of SEC rules. The court disagreed, reasoning that the employee’s disclosures did not relate to any of the enumerated laws within the ambit of Sarbanes-Oxley Act protected conduct.
Some cybersecurity whistleblowers, however, have fared better in persuading judges that SOX protects whistleblowing about deficient information security controls. See, e.g., Prioleau v. Sikorsky Aircraft Corp., ARB Case No. 10-060 (ARB Nov. 9, 2011) (holding that disclosures about deficient information security are protected under SOX).
The SEC’s recent enforcement against Pearson plc, for misleading investors about a cyber-intrusion and for failing to maintain adequate disclosure controls and procedures suggests that whistleblowing about cybersecurity at a public company implicates violations of SEC rules and therefore should be deemed protected conduct under SOX.
Pearson Cybersecurity Enforcement Action
The SEC took enforcement action against Pearson, a London-based public company that provides educational publishing and other services to schools and universities, primarily because it made misleading statements and omissions about a 2018 data breach caused by a vulnerability on a server that permitted a sophisticated cyberthreat actor to steal student personal data and other sensitive information, including usernames and passwords. Although the server’s software manufacturer identified a significant vulnerability in September 2018 and informed Pearson of a patch for the vulnerability that same month, Pearson did not implement the patch until March 2019, after Pearson discovered the data breach. Pearson chose not to make a public statement about the breach, and in its July 2019 semi-annual report discussed a data privacy attack as a hypothetical risk, falsely implying that a data breach had not yet occurred.
The breach was material in that Pearson’s business entailed the collection and storage of large quantities of private data on school-age children and as it acknowledged in its risk disclosures, Pearson’s reputation and ability to attract and retain revenue depended in part on its ability “to adequately protect personally identifiable information.” This breach involved a compromise of a server holding a large quantity of data Pearson was responsible for protecting and exfiltration of a significant number of student names, dates of birth, and email addresses, and school administrator login credentials.
Pearson disclosed the breach to investors only after it was contacted by the media, and when it disclosed the breach in July 2019, Pearson made misstatements about the nature of the breach and the type of data involved. It failed to disclose the fact that student data, usernames, and passwords had been stolen.
The SEC also took enforcement action against Pearson due to the company’s insufficient disclosure controls and procedures. For example, although protecting student and user data is critical to Pearson’s business, and Pearson had identified the potential for improper access to such data as a significant risk, it failed to make appropriate disclosures in its July 2019 Form 6-K Risk Factor disclosures and its July 31, 2019 media statement.
In a press release, Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit stated that “[a]s public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
Pearson’s Violations of SEC Rules
The order settling the SEC’s charges against Pearson identifies three violations of securities law:
Sections 17(a)(2) and 17(a)(3) of the Securities Act, which make it unlawful for any person in the offer or sale of any securities by the use of any means or instruments of transportation or communication in interstate commerce or by use of the mails, directly or indirectly, to obtain money or property by means of any untrue statement of a material fact or any omission to state a material fact necessary in order to make the statements made, in light of the circumstances under which they were made, not misleading; or to engage in any transaction, practice, or course of business which operates or would operate as a fraud or deceit upon the purchaser;
Section 13(a) of the Exchange Act, which requires every foreign issuer of a security registered pursuant to Section 12 of the Exchange Act to furnish the Commission with periodic reports containing information that is accurate and not misleading; and
Rule 13a-15(a) of the Exchange Act, which requires every issuer to maintain disclosure controls and procedures designed to ensure that information required to be disclosed by an issuer in reports it files or furnishes is recorded, processed, summarized, and reported, within the time period specified in the SEC’s rules and forms.
Whistleblower disclosures about inadequate information security can also implicate the following SEC rules:
Item 503(c) of SEC Regulation S-K requires a corporation to disclose risk factors and discuss the most significant factors that make an offering speculative or risky. This includes the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky;
SEC Rule 10b-5, which prohibits public disclosures that misstate or omit material facts in connection with the purchase or sale of any security; and
Section 404 of SOX, which requires a corporation to assess the effectiveness of its internal controls in its annual reports and identify material weaknesses in these internal controls, including information security controls.
Implications for Cybersecurity Whistleblowers
As inadequate cybersecurity and attempts to conceal data breaches harm shareholders at public companies, it is critical to protect cybersecurity whistleblowers against retaliation. Although there are decisions denying SOX whistleblower protection to cybersecurity whistleblowers, the enforcement action against Pearson illustrates how cybersecurity disclosures implicate potential violations of SEC rules and why such disclosures should be deemed SOX-protected conduct.