It’s déjà vu all over again! On Monday, the SEC announced settled charges against Pearson plc, an NYSE-listed, educational publishing and services company based in London, for failure to disclose a cybersecurity breach. You might recall that just a few months ago, the SEC announced settled charges against another company for failure to timely disclose a cybersecurity vulnerability that led to a leak of data, with disclosure ultimately spurred by imminent media reports. Is there a trend here? In this instance, it wasn’t just a vulnerability—there was an actual known breach and exfiltration of private data. Nevertheless, Pearson decided not to disclose it and framed its cybersecurity risk factor disclosure as purely hypothetical. The SEC viewed that disclosure as misleading and imposed a civil penalty on Pearson of $1 million. The case serves as yet another reminder of the dangers of risk disclosures presented as hypothetical when those risks have actually come to fruition—a presentation that has now repeatedly drawn scrutiny in the context of cybersecurity disclosure.
In In re Alphabet Securities Litigation., the State of Rhode Island, as lead plaintiff, filed a Rule10b-5 action against Google LLC, its holding company Alphabet, Inc., and certain executives, alleging that the defendants failed to timely disclose certain cybersecurity defects and vulnerabilities. The district court granted defendants’ motion to dismiss the complaint, but on appeal, a three-judge panel of the 9th Circuit reversed in part, holding that the complaint “plausibly alleged” that the decision to omit information about these cybersecurity vulnerabilities “significantly altered the total mix of information available for decision-making by a reasonable investor” and that scienter—intent to deceive, manipulate or defraud—was adequately alleged. Importantly, the Court held that the complaint contained a plausible allegation that Alphabet’s omission was materially misleading: its risk factor discussion of cybersecurity was framed in the hypothetical, while, it was alleged, the “hypothetical” events had in fact already come to fruition. The case serves as a reminder of a couple of now-familiar themes: companies need to regularly review their risk factor disclosures, even when—or perhaps especially when—they are incorporating them by reference to ensure that they have been appropriately updated to reflect actual events that may have made the risks described as merely hypothetical no longer so. It’s also notable that this case represents the second recent instance of allegations of failure to disclose the discovery of a material cybersecurity “vulnerability”—in the absence of a cyberattack—with disclosure ultimately compelled by the publication of an article exposing the defects. It’s another reminder that companies need to be vigilant for potential disclosure obligations about cybersecurity that might arise outside the context of cyberattacks and hacks—in the more-difficult-to-assess context of cybersecurity vulnerabilities.