Series of SEC Decisions Highlight Risks of Nondisclosure of Cybersecurity Threats

Nov 1, 2021

Reading Time : 6 min

When Data Breach Nondisclosure Results in Disclosure Control Violations

First American provides a case study on the necessity of implementing proper disclosure controls to address cybersecurity incidents. The SEC pursued a 2019 fine against real estate title insurance company First American Financial Corporation (“First American”) for $487,616.2 In that case, the company omitted information that the SEC stated would have been “relevant to their assessment of the company’s disclosure response to the vulnerability and magnitude of the resulting risk.”

On May 24, 2019, a cybersecurity journalist informed First American of a vulnerability from an embedded application the company used for image sharing.3 This vulnerability allowed a user to alter the digits in a URL to view documents to which they should not have access, resulting in the exposure of some 800 million images going back to 2003, including social security numbers and other sensitive personal information. First American issued a press statement that same day and furnished a Form 8-K to the SEC days later on May 28, 2019.4 According to the SEC’s Cease & Desist Order (the First American Order), First American’s senior executives were unaware that their public statements left out relevant information, specifically the fact that the company’s information security personnel had identified the vulnerability months prior and did not remediate it in accordance with First American’s policies. According to the SEC, this failure to maintain disclosure controls and procedures resulted in relevant information important to both investors and the SEC being left out of reports. In the First American Order, the SEC charged First American with violating Rule 13(a)-15(a) of the Exchange Act, and the company agreed to pay the nearly half-million dollar fine without admitting or denying the SEC’s findings.

When Data Breach Disclosures Result in Fraud Violations

The SEC’s decision in Pearson expanded beyond negligent disclosure controls to actual antifraud violations under Sections 17(a)(2) and 17(a)(3). In Pearson, the SEC brought charges in 2021 after Pearson issued a Form 6-K report for foreign issuers in July 2019 that referred to a data breach as a “hypothetical risk,” despite already knowing it had suffered a breach, which compromised the records of millions of students in the United States.5 Notably, the SEC also claimed that Pearson’s disclosure controls failed to inform those responsible for public statements. Without admitting or denying the SEC’s findings, the London-based educational services provider agreed to pay a $1 million fine along with agreeing to cease and desist any violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933; Section 13(a) of the Exchange Act of 1934; and Rules 12b-20, 13a-15(a) and 13a-16 thereunder, according to the complaint. This settlement forms part of a wider initiative of the SEC looking to crack down on inadequate internal controls, and companies should accordingly examine their procedures carefully.     

According to the SEC’s Cease & Desist Order (the Pearson Order), Pearson used web-based software for tracking students’ academic performance called AIMSweb 1.0, a system they planned to retire in July 2019. School personnel logged into this system to view performance data, leaving their usernames and passwords along with names, titles and work addresses in the software data. In March 2019, Pearson became aware that hackers had downloaded passwords from AIMSweb 1.0, which they then used to obtain 11.5 million rows of student data, including names as well as some birthdays, along with 290,000 student emails.6 According to the Pearson Order, the hackers were able to gain access through a vulnerability that Pearson had declined to patch in September 2018.

The Pearson Order specifies that Pearson then built a team for incident response and retained a third-party consultant to investigate the breach. In May 2019, Pearson drafted a statement that it planned to issue “in the event of a significant media inquiry,” but did not actually release any public statements about the breach. On July 19, 2019, Pearson mailed a breach notice to the 13,000 schools, districts and universities that made up the affected customer accounts, but the notice did not inform customers that their usernames and passwords had been stolen. Later that same month, the management team at Pearson declined to issue a public statement, instead issuing a six-month lookback statement that “implied no major data privacy or confidentiality breach had occurred.”7

A reporter reached out to Pearson on July 31, 2019 about the breach, only to be given the company’s May 2019 media statement. According to the Pearson Order, the statement had been updated to include a reference to AIMSweb 1.0, but it made no mention of the stolen usernames and passwords. Later that same day, Pearson posted a media statement to its website that the SEC called misleading for several reasons. First, as the Pearson Order states, rather than mention any data theft, Pearson characterized the incident as “unauthorized access.”8 The statement also did not mention the exfiltration of usernames and passwords, and referred to the exfiltration of email addresses and birth dates as “hypothetical.”9 Finally, the statement touted Pearson’s “strict data protections” and claimed Pearson had “no evidence that this information has been misused,”10 classifying the statement as merely a precautionary measure.

In the Pearson Order, the SEC states that Pearson’s disclosure controls and procedures failed to assess the incident they identified, and failed to inform relevant personnel of the full circumstances before they made disclosures. Pearson, without admitting or denying the SEC’s findings, agreed to cease and desist from committing or causing any violations and any future violations of the applicable securities laws, and to pay a $1 million penalty to the SEC.

Takeaways for Cybersecurity Disclosures

The Pearson settlement is another example of the SEC’s efforts to police the public disclosure of accurate information by companies that have suffered cyber incidents. Prior to 2021, the only major cybersecurity disclosure enforcement action was the SEC’s Altaba settlement for $35 million for Yahoo’s failure to disclose a 2018 breach impacting more than a half of a billion Yahoo users.11 In 2021, the SEC expanded the net with its Cease & Desist Orders in First American and Pearson.

In light of the significant measures the SEC is taking to ensure adequate disclosure of cyber incidents and the possible regulatory action on the SEC’s regulatory agenda that could build on the SEC’s 2018 guidance,12 companies should take a critical look at their disclosure controls related to cybersecurity risk, ensuring that procedures for testing and reporting function properly. Companies should further reinforce their internal controls to ensure that those responsible for crafting and delivering public statements are kept informed about the occurrence of cyber incidents, the requirements regarding disclosure and the enforcement of any insider trading prohibitions as a result of the breach. To that end, senior management should be involved in data management training so that crucial information from employees on the data frontline is not overlooked or misunderstood. Reporting parties must be careful not only to disclose incidents promptly, but also to describe them in a nonmisleading manner, so as not to attract potential charges from regulatory authorities. As Commissioner Roisman recently stated, “it has become increasingly important for market participants to work with counsel and other experts on preparing for potential cyber-attacks before they happen—that is, devising a plan for monitoring for cyber threats, responding to potential breaches and understanding when information must be reported outside the company and to whom.”13

Please contact a member of Akin Gump’s cybersecurity, privacy and data protection team if you have any questions about how this decision may impact your company or your company’s cybersecurity disclosure controls.


1 U.S. Securities and Exchange Commission, Press Release, SEC Charges Pearson plc for Misleading Investors About Cyber Breach, (August 16, 2021), available at https://www.sec.gov/news/press-release/2021-154.

2 U.S. Securities and Exchange Commission, Press Release, SEC Charges Issuer with Cybersecurity Disclosure Controls Failures (June 15, 2021), available at https://www.sec.gov/news/press-release/2021-102.

3 Id.

4 Id.

5 Pearson at 1.

6 Pearson plc, Release No. 10963, (August 16, 2021), available at https://www.sec.gov/litigation/admin/2021/33-10963.pdf.

7 Id. at 3.

8 Id. at 4.

9 Id.

10 Id.

11 U.S. Securities and Exchange Commission, Press Release, Altaba, Formerly Known as Yahoo!, Charged with Failing to Disclose Massive Cybersecurity Breach; Agrees to Pay $35 Million (April 24, 2018), available at https://www.sec.gov/news/press-release/2018-71.

12 SEC Announces Annual Regulatory Agenda (June 11, 2021), available at https://www.sec.gov/news/press-release/2021-99.

13 Elad L. Roisman, Commissioner, SEC, Speech Before the Los Angeles County Bar Association: Cybersecurity: Meeting the Emerging Challenge (Oct. 29, 2021) available at https://www.sec.gov/news/speech/roisman-cybersecurity-102921#.

Share This Insight

Previous Entries

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

Data Dive

September 17, 2024

Following the publication of the European Union’s Artificial Intelligence Act (AI Act or Act) on 12 July 2024, there are now a series of steps that various EU bodies need to take towards implementation. One of the first key steps is in relation to the establishment of codes of practice to “contribute to the proper application” of the AI Act.

...

Read More

Data Dive

August 6, 2024

On July 30, 2024, the Senate passed the Kids Online Safety and Privacy Act (S. 2073) via an overwhelmingly bipartisan vote of 91-3 shortly before departing for the August recess.

...

Read More

Data Dive

July 18, 2024

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

...

Read More

Data Dive

July 18, 2024

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).1

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.