SEC Charges Pearson plc for Misleading Investors About Cyber Breach and Inadequate Disclosure Controls

On August 16, 2021, the Securities and Exchange Commission imposed a cease-and-desist order and a $1 million civil penalty on Pearson plc, finding violations of the negligence-based antifraud provisions of the Securities Act.

The Commission’s order finds that Pearson made misleading statements and omissions about a 2018 data breach involving the theft of student data and administrator log-in credentials of 13,000 school, district and university customer accounts. The order notes that while Pearson’s periodic filings with the Commission contained risk-factor disclosure identifying that “malicious attack[s] on our systems” could result in a “‘major data privacy or confidentiality breach,’” the company re-issued that risk-disclosure language without disclosing that precisely such a major breach had occurred just a few months earlier. The SEC also found that Pearson’s response to media inquiries concerning the breach was materially misleading, because its press statement downplayed the scale and seriousness of the breach and implied that certain types of personal data may have been obtained, when Pearson knew that such data had, in fact, been stolen.

The Commission also concluded that Pearson failed to maintain disclosure controls and procedures properly designed to analyze and assess cybersecurity incidents such that management was able to make appropriate and accurate disclosure decisions.

This Commission’s order follows its June 15, 2021 order involving First American Financial we discussed here and underscores the Commission’s focus on cybersecurity disclosures, particularly when a material cyber breach is involved.

KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.


© 2024 Keating Muething & Klekamp PLL. All Rights Reserved


Jump to Page