It’s déjà vu all over again! On Monday, the SEC announced settled charges against Pearson plc, an NYSE-listed, educational publishing and services company based in London, for failure to disclose a cybersecurity breach. You might recall that just a few months ago, the SEC announced settled charges against another company for failure to timely disclose a cybersecurity vulnerability that led to a leak of data, with disclosure ultimately spurred by imminent media reports. Is there a trend here? In this instance, it wasn’t just a vulnerability—there was an actual known breach and exfiltration of private data. Nevertheless, Pearson decided not to disclose it and framed its cybersecurity risk factor disclosure as purely hypothetical. The SEC viewed that disclosure as misleading and imposed a civil penalty on Pearson of $1 million. The case serves as yet another reminder of the dangers of risk disclosures presented as hypothetical when those risks have actually come to fruition—a presentation that has now repeatedly drawn scrutiny in the context of cybersecurity disclosure.
Pearson provides “educational publishing and other services to schools and universities,” such as “academic performance assessment services to school districts in the United States.” Its web-based software allowed schools to enter, track, update and view students’ academic performance and included, in addition to student data, the names, titles and work addresses of school personnel along with their usernames and “hashed passwords.”
As described in the SEC’s Order, in September 2018, Pearson was advised by one of its software manufacturers of a critical vulnerability in its software and notified of the availability of a patch to fix it. Pearson, however, failed to implement the patch. In March 2019, the company learned that a “sophisticated threat actor” used the unpatched vulnerability to access and download millions of rows of data, including exfiltration of all school district personnel usernames and hashed passwords, as well as 11.5 million rows of student data, half of which contained the students’ dates of birth and, for a much smaller subset, students’ email addresses. While the passwords were “hashed,” unfortunately, they “were scrambled using an algorithm that had become outdated for protecting passwords.” After the breach, Pearson implemented the patch and engaged a consultant to conduct an investigation, but “decided that it was not necessary to issue a public statement regarding the incident.” Instead, Pearson mailed a notice to its customer accounts and prepared a media statement to have ready in case of media inquiry.
In July, just prior to the submission of its Form 6-K reporting its six-months interim results, Pearson management again made the decision that it was unnecessary to disclose the incident. Accordingly, in the risk factors section of that report, Pearson did not disclose the breach, but instead left its previous cybersecurity risk factor unchanged. That risk factor described the risk as purely hypothetical: a “[r]isk of a data privacy incident or other failure to comply with data privacy regulations and standards and/or a weakness in information security, including a failure to prevent or detect a malicious attack on our systems, could result in a major data privacy or confidentiality breach causing damage to the customer experience and our reputational damage, a breach of regulations and financial loss.” According to the SEC, this statement “implied that no ‘major data privacy or confidentiality breach’ had occurred,” when Pearson was well aware of the breach and “failed to consider how certain information about that breach should have informed this risk disclosure.”
On July 31, a national media reporter contacted Pearson about a pending article regarding the breach, and the company gave the reporter its prepared statement and posted it on its website. According to the Order, the prepared statement included several misleading statements, such as referring to the event as “unauthorized access” when data had actually been exfiltrated, and again presenting some of the information as hypothetical, i.e., stating that the information “may include date of birth and/or email address,” when it was known that a large portion of the data did include that information. In light of Pearson’s failure to timely patch the critical vulnerability and its use of an outdated hashing algorithm, the SEC even took issue with Pearson’s statement that “Protecting our customers’ information is of critical importance to us. We have strict data protections in place and have reviewed this incident, found and fixed the vulnerability.” The SEC viewed Pearson’s data breach to be material in part because Pearson’s “reputation and ability to attract and retain revenue depended in part on its ability to adequately protect personally identifiable,” particularly data on school-age children around the world.
The day following issuance of Pearson’s media statement, its stock price dropped by 3.3%.
The Order noted that Pearson was engaged in an ongoing employee offering during this time. In addition, the SEC concluded that Pearson failed to maintain adequate disclosure controls and procedures because its procedures surrounding the Form 6-K and media statement “failed to inform relevant personnel of certain information about the circumstances surrounding the breach,” especially since Pearson had “identified the potential for improper access to such data as a significant risk.”
The SEC charged Pearson with fraud in the offer and sale of securities under Section 17(a)(2) and (3) of the Securities Act, which are negligence-based prohibitions and do not require a showing of scienter; violation of Section 13(a) of the Exchange Act, which requires foreign issuers to furnish periodic reports that are accurate and not misleading; and violation of Rule 13a-15(a), which requires issuers to maintain adequate disclosure controls and procedures. The SEC imposed a civil money penalty of $1 million.
For more information about securities litigation, see the Cooley Securities Litigation and Enforcement blog.