October 16, 2021

Volume XI, Number 289

Advertisement
Advertisement

October 15, 2021

Subscribe to Latest Legal News and Analysis

October 14, 2021

Subscribe to Latest Legal News and Analysis

October 13, 2021

Subscribe to Latest Legal News and Analysis

SEC Fine Highlights Importance of Cybersecurity Disclosures

The SEC recently announced a settlement with Pearson plc where the company has agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber incident. According to the order, Pearson made misleading statements and omissions about a 2018 data breach involving the theft of student data and administrator credentials in its July 2019 semi-annual report.

Pearson is a UK-based education and publishing company, and provides services to both K-12 schools and universities. As part of the provision of its services, school administrators are provided with login credentials, and 13,000 of those credentials -as well as student emails and dates of birth- were impacted in the cyber incident. Pearson learned of the incident in March 2019, and four months later, after its investigation, notified impacted individuals. Pearson’s management determined that no public statement needed to be issued, and the day after the board met (and seven days after notice was sent to impacted individuals), the company issued its semi-annual report (Form 6-K) which did not mention the cyber incident, instead referring to data privacy incidents as a hypothetical risk – mirroring language from past reports. After issuing its 6-K, Pearson was contacted by a national media outlet about the incident, and only then did it release a statement to the media and post information about the incident to its website.

The SEC cited Pearson with violations of the Securities Act and the Exchange Act for failure to have appropriate processes and procedures around the drafting of its Form 6-K Risk Factor disclosures, for misleading and inaccurate details in its disclosures, and for omitting key details about the incident (such as the volume and type of data impacted) in its media statement. While Pearson did not admit wrongdoing, it agreed to pay a $1 million penalty as part of the settlement.

Putting it into Practice. This case highlights the importance of appropriately analyzing incidents and assessing their materiality to determine if they need to be disclosed in company filings. Companies would be well served to review their controls and procedures, including how incidents are reported to management, what processes management has in place for analyzing materiality, and how its disclosures can quickly and effectively be modified or updated as the result of an incident.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 237
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Kari Rollins Intellectual Property Lawyer Sheppard
Partner

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

212.634.3077
Advertisement
Advertisement
Advertisement