Last week, the SEC announced settled charges against Blackbaud, Inc., a provider of donor data management software to non-profit organizations, for misleading disclosures and disclosure control failures. According to the SEC, in May 2020, employees at the company discovered evidence of a ransomware attack. After an investigation, the company announced the incident and advised affected customers—specifying that sensitive donor data was not involved. But just a couple of weeks later, the SEC alleged, company personnel learned that the attacker had, in fact, accessed sensitive donor data for a number of customers—including bank account and social security numbers. But—you guessed it—it’s disclosure controls again! The personnel with knowledge of the scope of the breach “did not communicate this to Blackbaud’s senior management responsible for disclosures, and the company did not have policies or procedures in place designed to ensure they do so.” As a result, the SEC claimed, the company filed a Form 10-Q that still omitted mention of the exfiltration of sensitive donor data and framed its cybersecurity risk factor disclosure as purely hypothetical. The SEC viewed Blackbaud’s disclosure as misleading and its disclosure controls as inadequate and imposed a civil penalty of $3 million. According to the Chief of SEC Enforcement’s Crypto Assets and Cyber Unit, “Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous….Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”
It’s déjà vu all over again! On Monday, the SEC announced settled charges against Pearson plc, an NYSE-listed, educational publishing and services company based in London, for failure to disclose a cybersecurity breach. You might recall that just a few months ago, the SEC announced settled charges against another company for failure to timely disclose a cybersecurity vulnerability that led to a leak of data, with disclosure ultimately spurred by imminent media reports. Is there a trend here? In this instance, it wasn’t just a vulnerability—there was an actual known breach and exfiltration of private data. Nevertheless, Pearson decided not to disclose it and framed its cybersecurity risk factor disclosure as purely hypothetical. The SEC viewed that disclosure as misleading and imposed a civil penalty on Pearson of $1 million. The case serves as yet another reminder of the dangers of risk disclosures presented as hypothetical when those risks have actually come to fruition—a presentation that has now repeatedly drawn scrutiny in the context of cybersecurity disclosure.
In In re Alphabet Securities Litigation., the State of Rhode Island, as lead plaintiff, filed a Rule10b-5 action against Google LLC, its holding company Alphabet, Inc., and certain executives, alleging that the defendants failed to timely disclose certain cybersecurity defects and vulnerabilities. The district court granted defendants’ motion to dismiss the complaint, but on appeal, a three-judge panel of the 9th Circuit reversed in part, holding that the complaint “plausibly alleged” that the decision to omit information about these cybersecurity vulnerabilities “significantly altered the total mix of information available for decision-making by a reasonable investor” and that scienter—intent to deceive, manipulate or defraud—was adequately alleged. Importantly, the Court held that the complaint contained a plausible allegation that Alphabet’s omission was materially misleading: its risk factor discussion of cybersecurity was framed in the hypothetical, while, it was alleged, the “hypothetical” events had in fact already come to fruition. The case serves as a reminder of a couple of now-familiar themes: companies need to regularly review their risk factor disclosures, even when—or perhaps especially when—they are incorporating them by reference to ensure that they have been appropriately updated to reflect actual events that may have made the risks described as merely hypothetical no longer so. It’s also notable that this case represents the second recent instance of allegations of failure to disclose the discovery of a material cybersecurity “vulnerability”—in the absence of a cyberattack—with disclosure ultimately compelled by the publication of an article exposing the defects. It’s another reminder that companies need to be vigilant for potential disclosure obligations about cybersecurity that might arise outside the context of cyberattacks and hacks—in the more-difficult-to-assess context of cybersecurity vulnerabilities.