KMK Law Corporate & Securities Blog

On August 16, 2021, the Securities and Exchange Commission imposed a cease-and-desist order and a $1 million civil penalty on Pearson plc, finding violations of the negligence-based antifraud provisions of the Securities Act.

The Commission’s order finds that Pearson made misleading statements and omissions about a 2018 data breach involving the theft of student data and administrator log-in credentials of 13,000 school, district and university customer accounts. The order notes that while Pearson’s periodic filings with the Commission contained risk-factor disclosure identifying that “malicious attack[s] on our systems” could result in a “‘major data privacy or confidentiality breach,’” the company re-issued that risk-disclosure language without disclosing that precisely such a major breach had occurred just a few months earlier. The SEC also found that Pearson’s response to media inquiries concerning the breach was materially misleading, because its press statement downplayed the scale and seriousness of the breach and implied that certain types of personal data may have been obtained, when Pearson knew that such data had, in fact, been stolen.

The Commission also concluded that Pearson failed to maintain disclosure controls and procedures properly designed to analyze and assess cybersecurity incidents such that management was able to make appropriate and accurate disclosure decisions.

This Commission’s order follows its June 15, 2021 order involving First American Financial we discussed here and underscores the Commission’s focus on cybersecurity disclosures, particularly when a material cyber breach is involved.