



Attention and truthful– reporting a data breach should be a must for any business. But nowhere is this more true than for publicly traded companies. A recent Securities and Exchange Commission Order highlights how costly inaccuracies and omissions in reporting data breaches can be costly for listed companies. On August 16, 2021, the SEC announced a settlement with Pearson plc, a UK-based listed multinational educational publishing company. Pearson trades on the London Stock Exchange under the symbol PSON, and its American Depository Receipts trade on the New York Stock Exchange under the symbol PSO. The SEC has accused Pearson of making misleading statements and omissions about a 2018 data breach involving the theft of student data and administrator logins from 13,000 school district and government accounts receivable. universities. Pearson agreed to pay $ 1 million to settle the SEC’s charges. Pearson learned in March 2019 that a cyber intrusion had affected data stored on the server of its web product, AIMSweb 1.0. A “sophisticated threat actor” (read: a hacker) viewed and downloaded student usernames, passwords and 11.5 million lines of data, including birthdates and addresses e-mail, school district staff in 2018. In September 2018, the software maker notified Pearson of a vulnerability in its software and made a patch available to Pearson. Pearson failed to download the software patch to fix the vulnerability until March 2019, when he confirmed the data was stolen. Compounding his error, Pearson sent a notice to affected users in July 2019 in which Pearson failed to notify users that their usernames and passwords had been stolen. That same month, in Pearson’s semi-annual SEC papers, Pearson called the incident a “hypothetical risk,” despite knowing that the breach had Actually occurred. Later, in a media statement, Pearson said the breach “may have” included student birthdates and email addresses, and touted his “strict protections” for data privacy, despite knowing that it did not fix the vulnerability of the software for months. It is not difficult to infer why the SEC accused Pearson of violating the anti-fraud provisions of Sections 17 (a) (2) and (a) (3) of the Securities Act of 1933, the reporting provisions of the Section 13 (a) of the Securities Act Exchange Act of 1934, among other violations. Pearson offered, and the SEC agreed, to pay a civil fine of $ 1 million. Pearson has also agreed to cease and desist from any other violation of Sections 17 (a) (2) and (a) (3). The SEC order came just over a year after a federal judge in the United States District Court for the Northeast District fired a putative class action lawsuit against Pearson, finding that the putative plaintiffs did not have standing to sue Pearson for the theft of student email addresses. The court noted in its order that the e-mail addresses were “not sensitive enough to significantly increase the risk of identity theft”, and therefore, that the plaintiff’s argument that personal data had been reduced is “too speculative to confer quality. While the ongoing problems may allow listed companies to avoid class action lawsuits by plaintiffs – for now – in some jurisdictions, the SEC order makes it clear that the SEC is closely monitoring disclosures of data breaches. . The Pearson Order demonstrates the critical importance of accurate disclosures of data breaches, both internally within companies and then externally to the general public. Pearson’s will not be the last of these orders.

