October 28, 2021

Volume XI, Number 301

Advertisement
Advertisement

October 27, 2021

Subscribe to Latest Legal News and Analysis

October 26, 2021

Subscribe to Latest Legal News and Analysis

October 25, 2021

Subscribe to Latest Legal News and Analysis

SEC Is Still Cyber Serious About Disclosures

On the heels of the First American enforcement action and settlement, this week, the SEC announced a settlement with Pearson plc in connection with a 2018 cyber breach. The SEC disclosed that Pearson, a London-based educational company, agreed to pay a $1 million penalty to settle charges that it misled investors about a breach involving the theft of millions of student records.  The SEC’s First American and Pearson settlements highlight the agency’s increased focus on cybersecurity-related disclosures and should be nothing short of a wake-up call to all publicly traded companies.

In March 2019, Pearson was notified by the FBI that data stored on the system’s server had been accessed and downloaded by a hacker using an unpatched vulnerability on the server. The vulnerability had been flagged as critical by the software manufacturer the previous September, and although a patch to fix the vulnerability was available, Pearson failed to implement it until after it learned of the breach, the SEC alleges.

Pearson created an incident response team and retained an outside vendor to investigate the breach. Analysis of the stolen data provided to Pearson showed that school administrator usernames and passwords has been exfiltrated, along with student names, birthdays, and email addresses. Pearson issued its semi-annual financial report to the SEC on July 26, 2019 and published a media statement a week later. The SEC found that Pearson made misleading statements and omissions in both public statements following the breach.

According to the agency, Pearson’s 2019 semi-annual financial report referred to a data privacy incident as a “hypothetical risk, when, in fact, the 2019 cyber intrusion had already occurred.” In the media statement issued that same month, Pearson stated that the breach “may” include dates of birth and email addresses, when the company knew for a fact that such records were stolen. The same statement by Pearson also omitted the fact that millions of student data, usernames, and passwords had been stolen. As the SEC noted, the data breach was material because the company acknowledged in its risk disclosures that its reputation and ability to retain and grow revenue depended upon its ability to protect personally identifiable information. The SEC also focused on Pearson’s statement that the company had “strict protections” in place, when it actually took the company six months to patch the vulnerability. Like in First American, the SEC also claimed that Pearson did not have processes in place to ensure that information about the breach and security controls made its way to those making disclosures for the company. 

“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company's data protections,” said the Chief of the SEC Enforcement Division's Cyber Unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”

As the top U.S. markets watchdog steps up enforcement around data breach and cybersecurity disclosures, public companies should consider several proactive measures:

  • Review public disclosures and statements to confirm risk is described accurately;

  • Be careful using conditional language when describing a breach to avoid misleading investors;

  • Avoid making strong statements about data security postures that cannot be supported by evidence  in addition to SEC enforcement, statements that mischaracterize could also bring scrutiny from the FTC; and

  • Ensure that controls are in place that promptly escalate cyber incidents to those in charge of SEC reports so that proper disclosures are made.

The Pearson and First American orders will likely be followed by other SEC enforcement actions related to company knowledge about data breaches as compared to their cybersecurity disclosures. So far, the SEC has been fairly patient with public companies as a whole, as cyber risk disclosures have become more detailed and sophisticated.  Indeed, this July, the SEC conducted a far-reaching enforcement sweep of SolarWinds customers, offering conditional amnesty for those who took corrective action and disclosed any material impact of the 2019 malware attacks.  However, these recent orders suggest that the SEC is willing to take a more assertive posture when companies limit their cyber disclosures to “general risks,” failing to own up to actual cyber incidents and any associated specific risks.

© 2021 Bracewell LLPNational Law Review, Volume XI, Number 231
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Philip Bezanson, white collar criminal defense, securities, attorney, Bracewell
Managing Partner, Seattle

Philip J. Bezanson's practice focuses on white collar criminal defense, internal investigations, securities enforcement and regulatory matters.

Mr. Bezanson is a member of the Bracewell & Giuliani LLP team that has represented corporate and individual clients in recent high-profile and complex cases, including the Deepwater Horizon explosion, the George Washington Bridge lane closure and General Motors ignition switch investigations, "Pay to Play" cases in New York, New Mexico and Illinois, the stock options backdating cases, and a variety...

212-508-6138
Seth DuCharme Insurance Lawyer Bracewell LLP
Partner

Seth DuCharme draws on his 14 years of experience as a senior-level law enforcement officer to advise companies and individuals on cases involving cybersecurity and breach response, Foreign Corrupt Practices Act (FCPA) diligence and litigation, export controls, sanctions compliance and anti-money laundering.

Seth served in the United States Attorney’s Office for the Eastern District of New York from 2008 through 2021. He held various positions at the Eastern District, including Chief of the Criminal Division, Chief of the National Security & Cybercrime Section, and Acting United...

212-508-6165
Matthew G. Nielsen energy and finance lawyer Bracewell
Partner

Matthew Nielsen has over 17 years of experience defending corporations, corporate executives and employees, and securities industry professionals in civil and criminal investigations, as well as securities investigations and litigation. He represents US and international clients on matters related to federal and state securities laws, US export controls and sanctions laws and regulations, Foreign Corrupt Practices Act, whistleblower complaints, accounting fraud and healthcare fraud.

He regularly practices before state and federal regulatory and law enforcement...

214 758 1039
Brittney Justice Litigation Attorney Bracewell
Associate

Brittney Justice represents clients across a range of industries in litigation and government enforcement and investigations in federal and state courts. She provides advice on diverse matters, including securities litigation, complex commercial disputes, environmental claims and government investigations. 

Prior to joining Bracewell, Brittney was a legal intern with Texas’ First Court of Appeals.

202.828.1744
Claire Cahoon Litigation Attorney Bracewell Law Firm
Associate

Claire Cahoon focuses her practice on complex commercial litigation and appeals. Prior to joining Bracewell, Claire served as a legal extern in the United States Attorney’s Office for the Northern District of Texas.

Education

Southern Methodist University Dedman School of Law, J.D.

2020 - magna cum laude

University of Southern California, B.A.

2016 - magna cum laude

Bar Admissions

Texas

Languages

Spanish — proficient

713.221.1428
Advertisement
Advertisement
Advertisement