It's déjà vu all over again! On Monday, the SEC announced settled charges against Pearson plc, an NYSE-listed, educational publishing and services company based in London, for failure to disclose a cybersecurity breach. You might recall that just a few months ago, the SEC announced settled charges against another company for failure to timely disclose a cybersecurity vulnerability that led to a leak of data, with disclosure ultimately spurred by imminent media reports.  Is there a trend here? In this instance, it wasn't just a vulnerability—there was an actual known breach and exfiltration of private data.  Nevertheless, Pearson decided not to disclose it and framed its cybersecurity risk factor disclosure as purely hypothetical.  The SEC viewed that disclosure as misleading and imposed a civil penalty on Pearson of $1 million.  The case serves as yet another reminder of the dangers of risk disclosures presented as hypothetical when those risks have actually come to fruition—a presentation that has now repeatedly drawn scrutiny in the context of cybersecurity disclosure.

SideBar

In June, the SEC brought charges against First American Financial Corporation for failure to timely disclose a cybersecurity defect.  According to the SEC's order in that case, in May 2019, the company was advised by a journalist that its software application for sharing document images related to title and escrow transactions had a vulnerability that exposed "over 800 million title and escrow document images dating back to 2003, including images containing sensitive personal data such as social security numbers and financial information." That evening, the company issued a public statement and, on the next trading day, furnished a Form 8-K to the SEC.  However, as it turns out, the company's information security personnel had already identified the vulnerability in a report of a manual test of the application about five months earlier, but failed to remediate it in accordance with the company's policies.  They also failed to apprise senior executives about the report, including those responsible for making public statements, even though the information would have been "relevant to their assessment of the company's disclosure response to the vulnerability and the magnitude of the resulting risk." There were no charges of securities fraud; the company was found only to have violated the requirement to maintain disclosure controls and procedures and ordered to pay a penalty of almost a half million dollars. (See this PubCo post.)

Pearson provides "educational publishing and other services to schools and universities," such as "academic performance assessment services to school districts in the United States."  Its web-based software allowed schools to enter, track, update and view students' academic performance and included, in addition to student data, the names, titles and work addresses of school personnel along with their usernames and "hashed passwords."

SideBar

What is a hashed password?  According to Wired it's a password that has been

"converted into a collection of cryptographic hashes, random-looking strings of characters into which the passwords have been mathematically transformed to prevent them from being misused. This transformation is called hashing. But just what sort of hashing those passwords have undergone can mean the difference between the thieves ending up with scrambled text that takes years to decipher or successfully 'cracking' those hashes in days or hours to convert them back to usable passwords, ready to access your sensitive accounts. A hash is designed to act as a 'one-way function': A mathematical operation that's easy to perform, but very difficult to reverse. Like other forms of encryption, it turns readable data into a scrambled cipher. But instead of allowing someone to decrypt that data with a specific key, as typical encryption functions do, hashes aren't designed to be decrypted. Instead, when you enter your password on a website, it simply performs the same hash again and checks the results against the hash it created of your password when you chose it, verifying the password's validity without having to store the sensitive password itself."

As described in the SEC's Order, in September 2018, Pearson was advised by one of its software manufacturers of a critical vulnerability in its software and notified of the availability of a patch to fix it. Pearson, however, failed to implement the patch.  In March 2019, the company learned that a "sophisticated threat actor" used the unpatched vulnerability to access and download millions of rows of data, including exfiltration of all school district personnel usernames and hashed passwords, as well as 11.5 million rows of student data, half of which contained the students' dates of birth and, for a much smaller subset, students' email addresses. While the passwords were "hashed," unfortunately, they "were scrambled using an algorithm that had become outdated for protecting passwords." After the breach, Pearson implemented the patch and engaged a consultant to conduct an investigation, but "decided that it was not necessary to issue a public statement regarding the incident." Instead, Pearson mailed a notice to its customer accounts and prepared a media statement to have ready in case of media inquiry.

In July, just prior to the submission of its Form 6-K reporting its six-months interim results, Pearson management again made the decision that it was unnecessary to disclose the incident. Accordingly, in the risk factors section of that report, Pearson did not disclose the breach, but instead left its previous cybersecurity risk factor unchanged.  That risk factor described the risk as purely hypothetical: a "[r]isk of a data privacy incident or other failure to comply with data privacy regulations and standards and/or a weakness in information security, including a failure to prevent or detect a malicious attack on our systems, could result in a major data privacy or confidentiality breach causing damage to the customer experience and our reputational damage, a breach of regulations and financial loss." According to the SEC, this statement "implied that no 'major data privacy or confidentiality breach' had occurred," when Pearson was well aware of the breach and "failed to consider how certain information about that breach should have informed this risk disclosure."

SideBar

Problematic hypothetical disclosures have certainly drawn scrutiny—and claims of misleading disclosure—in the last few years, especially in the context of cybersecurity. In In re Alphabet Securities Litigation, a three-judge panel of the 9th Circuit held that a complaint "plausibly alleged" that the defendants' decision to omit information about certain cybersecurity defects and vulnerabilities "significantly altered the total mix of information available for decision-making by a reasonable investor" and that scienter—intent to deceive, manipulate or defraud—was adequately alleged. Alphabet's Forms 10-Q  incorporated the risk factor disclosures from its 2017 Form 10-K and did not update to disclose various significant security vulnerabilities that had been discovered–specifically, a vulnerability in its Google+ social network that had, for three years, left private data of hundreds of thousands of users exposed to third-party developers.  Instead, the company specifically stated that there were "no material changes to our risk factors" since the previous Form 10-K.  Importantly, the Court held that the complaint contained a plausible allegation that Alphabet's omission was materially misleading: its risk factor discussion of cybersecurity was framed in the hypothetical, while, it was alleged in the complaint, the "hypothetical" events had in fact already occurred.  (See this PubCo post.)

And the SEC has also brought actions on the same basis.  In 2018, the entity formerly known as Yahoo! Inc. agreed to pay a $35 million penalty "to settle charges that it misled investors by failing to disclose one of the world's largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts."  In its Order in that case, the SEC found that, in late 2014, Yahoo learned of a massive cyber breach by hackers associated with the Russian Federation—at that time considered the largest breach of its kind—that affected over 500 million user accounts, resulting in the "theft, unauthorized access, and acquisition of hundreds of millions of its users' data, including usernames, birthdates, and telephone numbers," referred to internally as the company's "crown jewels." The Order charged that the company's "senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo's public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings misleading." In particular, the Order found that the company's risk disclosure was presented in the hypothetical: its "risk factor disclosures in its annual and quarterly reports from 2014 through 2016 were materially misleading in that they claimed the company only faced the risk of potential future data breaches" that might expose the company to loss and liability "without disclosing that a massive data breach had in fact already occurred." These risk factor disclosures "misleadingly suggested that a significant data breach had not yet occurred, and that therefore the company only faced the risk of data breaches and any negative effects that might flow from future breaches." (See this PubCo post.) 

The SEC has also specifically warned of the dangers of "hypothetical" risk disclosure in the context of stolen data and IP.   CF Disclosure Guidance Topic No. 8, which relates to  Intellectual Property and Technology Risks Associated with International Business Operations, provided guidance regarding disclosures that Corp Fin believes companies should consider with respect to intellectual property and technology risks that could arise in connection with international operations, especially in locations where protection of intellectual property may be a bit dicey. The guidance encourages each company to assess these risks and consider their potential impact on its business, financial condition and results of operations, and reputation, stock price and long-term value.  Notably, the guidance expressly states that "where a company's technology, data or intellectual property is being or previously was materially compromised, stolen or otherwise illicitly accessed, hypothetical disclosure of potential risks is not sufficient to satisfy a company's reporting obligations." (See this PubCo post.)

On July 31, a national media reporter contacted Pearson about a pending article regarding the breach, and the company gave the reporter its prepared statement and posted it on its website.  According to the Order, the prepared statement included several misleading statements, such as referring to the event as "unauthorized access" when data had actually been exfiltrated, and again presenting some of the information as hypothetical, i.e., stating that the information "may include date of birth and/or email address," when it was known that a large portion of the data did include that information.  In light of Pearson's failure to timely patch the critical vulnerability and its use of an outdated hashing algorithm, the SEC even took issue with Pearson's statement that "Protecting our customers' information is of critical importance to us. We have strict data protections in place and have reviewed this incident, found and fixed the vulnerability." The SEC viewed Pearson's data breach to be material in part because Pearson's "reputation and ability to attract and retain revenue depended in part on its ability to adequately protect personally identifiable," particularly data on school-age children around the world.

The day following issuance of Pearson's media statement, its stock price dropped by 3.3%.

SideBar

The SEC's 2018 guidance on cybersecurity disclosure addressed disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. In determining whether disclosure regarding cybersecurity risks and incidents is necessary, "companies generally weigh, among other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident on the company's operations." But how is "materiality" assessed in the context of cybersecurity? The SEC noted that the Basic v. Levinson probability/magnitude test is still a relevant part of the analysis. The SEC also advised that "materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations."  In that regard, the SEC noted that compromised information "might include personally identifiable information, trade secrets or other confidential business information, the materiality of which may depend on the nature of the company's business, as well as the scope of the compromised information." Materiality "also depends on the range of harm that such incidents could cause. This includes harm to a company's reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities."   (For more information about the SEC guidance, see this PubCo post and this Cooley Alert.)

It's worth noting here that prominently featured on the SEC's Spring 2021 Reg-Flex Agenda are proposed rules regarding cybersecurity risk governance disclosure. Given the recent consternation over hacks and ransomware, it should come as no surprise that the SEC may propose rule amendments to enhance issuer disclosures regarding cybersecurity risk governance. The agenda identifies October 2021 as the target date for issuance of a proposal. (See this PubCo post.)

The Order noted that Pearson was engaged in an ongoing employee offering during this time.  In addition, the SEC concluded that Pearson failed to maintain adequate disclosure controls and procedures because its procedures surrounding the Form 6-K and media statement "failed to inform relevant personnel of certain information about the circumstances surrounding the breach," especially since Pearson had "identified the potential for improper access to such data as a significant risk."

The SEC charged Pearson with fraud in the offer and sale of securities under Section 17(a)(2) and (3) of the Securities Act, which are negligence-based prohibitions and do not require a showing of scienter; violation of Section 13(a) of the Exchange Act, which requires foreign issuers to furnish periodic reports that are accurate and not misleading; and violation of Rule 13a-15(a), which requires issuers to maintain adequate disclosure controls and procedures.  The SEC imposed a civil money penalty of $1 million.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.