Although the Securities and Exchange Commission (SEC) issued its guidance on cybersecurity disclosures in 2018, disclosures of data breaches in public filings are rare and until 2021, very few enforcement matters had been pursued by the SEC. On August 30, 2021, the SEC announced three settlements with investment advisors related to alleged cybersecurity failures; on August 16, 2021 the SEC announced a settlement with Pearson plc (“Pearson”) for allegedly misleading investors about a 2018 cybersecurity breach; and on June 15, 2021, the SEC announced a settlement with First American Financial Corporation for disclosure controls and procedure violations related to an alleged cybersecurity vulnerability that exposed sensitive customer information.1 All of these settlements reflect the SEC’s increased scrutiny on companies’ cybersecurity practices and disclosures.
When Data Breach Nondisclosure Results in Disclosure Control Violations
First American provides a case study on the necessity of implementing proper disclosure controls to address cybersecurity incidents. The SEC pursued a 2019 fine against real estate title insurance company First American Financial Corporation (“First American”) for $487,616.2 In that case, the company omitted information that the SEC stated would have been “relevant to their assessment of the company’s disclosure response to the vulnerability and magnitude of the resulting risk.”
On May 24, 2019, a cybersecurity journalist informed First American of a vulnerability from an embedded application the company used for image sharing.3 This vulnerability allowed a user to alter the digits in a URL to view documents to which they should not have access, resulting in the exposure of some 800 million images going back to 2003, including social security numbers and other sensitive personal information. First American issued a press statement that same day and furnished a Form 8-K to the SEC days later on May 28, 2019.4 According to the SEC’s Cease & Desist Order (the First American Order), First American’s senior executives were unaware that their public statements left out relevant information, specifically the fact that the company’s information security personnel had identified the vulnerability months prior and did not remediate it in accordance with First American’s policies. According to the SEC, this failure to maintain disclosure controls and procedures resulted in relevant information important to both investors and the SEC being left out of reports. In the First American Order, the SEC charged First American with violating Rule 13(a)-15(a) of the Exchange Act, and the company agreed to pay the nearly half-million dollar fine without admitting or denying the SEC’s findings.
When Data Breach Disclosures Result in Fraud Violations
The SEC’s decision in Pearson expanded beyond negligent disclosure controls to actual antifraud violations under Sections 17(a)(2) and 17(a)(3). In Pearson, the SEC brought charges in 2021 after Pearson issued a Form 6-K report for foreign issuers in July 2019 that referred to a data breach as a “hypothetical risk,” despite already knowing it had suffered a breach, which compromised the records of millions of students in the United States.5 Notably, the SEC also claimed that Pearson’s disclosure controls failed to inform those responsible for public statements. Without admitting or denying the SEC’s findings, the London-based educational services provider agreed to pay a $1 million fine along with agreeing to cease and desist any violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933; Section 13(a) of the Exchange Act of 1934; and Rules 12b-20, 13a-15(a) and 13a-16 thereunder, according to the complaint. This settlement forms part of a wider initiative of the SEC looking to crack down on inadequate internal controls, and companies should accordingly examine their procedures carefully.
According to the SEC’s Cease & Desist Order (the Pearson Order), Pearson used web-based software for tracking students’ academic performance called AIMSweb 1.0, a system they planned to retire in July 2019. School personnel logged into this system to view performance data, leaving their usernames and passwords along with names, titles and work addresses in the software data. In March 2019, Pearson became aware that hackers had downloaded passwords from AIMSweb 1.0, which they then used to obtain 11.5 million rows of student data, including names as well as some birthdays, along with 290,000 student emails.6 According to the Pearson Order, the hackers were able to gain access through a vulnerability that Pearson had declined to patch in September 2018.
The Pearson Order specifies that Pearson then built a team for incident response and retained a third-party consultant to investigate the breach. In May 2019, Pearson drafted a statement that it planned to issue “in the event of a significant media inquiry,” but did not actually release any public statements about the breach. On July 19, 2019, Pearson mailed a breach notice to the 13,000 schools, districts and universities that made up the affected customer accounts, but the notice did not inform customers that their usernames and passwords had been stolen. Later that same month, the management team at Pearson declined to issue a public statement, instead issuing a six-month lookback statement that “implied no major data privacy or confidentiality breach had occurred.”7
A reporter reached out to Pearson on July 31, 2019 about the breach, only to be given the company’s May 2019 media statement. According to the Pearson Order, the statement had been updated to include a reference to AIMSweb 1.0, but it made no mention of the stolen usernames and passwords. Later that same day, Pearson posted a media statement to its website that the SEC called misleading for several reasons. First, as the Pearson Order states, rather than mention any data theft, Pearson characterized the incident as “unauthorized access.”8 The statement also did not mention the exfiltration of usernames and passwords, and referred to the exfiltration of email addresses and birth dates as “hypothetical.”9 Finally, the statement touted Pearson’s “strict data protections” and claimed Pearson had “no evidence that this information has been misused,”10 classifying the statement as merely a precautionary measure.
In the Pearson Order, the SEC states that Pearson’s disclosure controls and procedures failed to assess the incident they identified, and failed to inform relevant personnel of the full circumstances before they made disclosures. Pearson, without admitting or denying the SEC’s findings, agreed to cease and desist from committing or causing any violations and any future violations of the applicable securities laws, and to pay a $1 million penalty to the SEC.
Takeaways for Cybersecurity Disclosures
The Pearson settlement is another example of the SEC’s efforts to police the public disclosure of accurate information by companies that have suffered cyber incidents. Prior to 2021, the only major cybersecurity disclosure enforcement action was the SEC’s Altaba settlement for $35 million for Yahoo’s failure to disclose a 2018 breach impacting more than a half of a billion Yahoo users.11 In 2021, the SEC expanded the net with its Cease & Desist Orders in First American and Pearson.
In light of the significant measures the SEC is taking to ensure adequate disclosure of cyber incidents and the possible regulatory action on the SEC’s regulatory agenda that could build on the SEC’s 2018 guidance,12 companies should take a critical look at their disclosure controls related to cybersecurity risk, ensuring that procedures for testing and reporting function properly. Companies should further reinforce their internal controls to ensure that those responsible for crafting and delivering public statements are kept informed about the occurrence of cyber incidents, the requirements regarding disclosure and the enforcement of any insider trading prohibitions as a result of the breach. To that end, senior management should be involved in data management training so that crucial information from employees on the data frontline is not overlooked or misunderstood. Reporting parties must be careful not only to disclose incidents promptly, but also to describe them in a nonmisleading manner, so as not to attract potential charges from regulatory authorities. As Commissioner Roisman recently stated, “it has become increasingly important for market participants to work with counsel and other experts on preparing for potential cyber-attacks before they happen—that is, devising a plan for monitoring for cyber threats, responding to potential breaches and understanding when information must be reported outside the company and to whom.”13
Please contact a member of Akin Gump’s cybersecurity, privacy and data protection team if you have any questions about how this decision may impact your company or your company’s cybersecurity disclosure controls.
1 U.S. Securities and Exchange Commission, Press Release, SEC Charges Pearson plc for Misleading Investors About Cyber Breach, (August 16, 2021), available at https://www.sec.gov/news/press-release/2021-154.
2 U.S. Securities and Exchange Commission, Press Release, SEC Charges Issuer with Cybersecurity Disclosure Controls Failures (June 15, 2021), available at https://www.sec.gov/news/press-release/2021-102.
5 Pearson at 1.
6 Pearson plc, Release No. 10963, (August 16, 2021), available at https://www.sec.gov/litigation/admin/2021/33-10963.pdf.
7 Id. at 3.
8 Id. at 4.
11 U.S. Securities and Exchange Commission, Press Release, Altaba, Formerly Known as Yahoo!, Charged with Failing to Disclose Massive Cybersecurity Breach; Agrees to Pay $35 Million (April 24, 2018), available at https://www.sec.gov/news/press-release/2018-71.
13 Elad L. Roisman, Commissioner, SEC, Speech Before the Los Angeles County Bar Association: Cybersecurity: Meeting the Emerging Challenge (Oct. 29, 2021) available at https://www.sec.gov/news/speech/roisman-cybersecurity-102921#.