Skip to main content

SEC’s $1 Million Settlement with Pearson Over Botched Data Breach Disclosure Is A Cautionary Tale for Public Companies

Kelly Ruane Melchiondo
Blog ImageCareful—and truthful—reporting of a data breach should be a must for any company. But nowhere is this truer than for publicly traded companies. A recent Securities and Exchange Commission Order highlights how costly inaccuracies and omissions in reporting of data breaches may prove for publicly traded companies.

On August 16, 2021, the SEC announced a settlement with Pearson plc, a multinational, publicly traded educational publishing company based in the United Kingdom. Pearson trades on the London Stock Exchange under the ticker symbol PSON, and its American Depository Receipts are traded on the New York Stock Exchange under the ticker symbol PSO.

The SEC charged Pearson with making misleading statements and omissions about a 2018 data breach that involved the theft of student data and administrator log-ins of 13,000 school district and university customer accounts. Pearson agreed to pay $1 million to settle the SEC’s charges.

Pearson learned in March 2019 about a cyber intrusion that affected data stored on the server for its web-based product, AIMSweb 1.0. A “sophisticated threat actor” (read: hacker) accessed and downloaded school district personnel user names, passwords, and 11.5 million rows of student data, including birth dates and email addresses, in 2018. In September 2018, the software manufacturer had warned Pearson of a vulnerability in its software and made a patch available to Pearson. Pearson failed to download the software patch to fix the vulnerability until March 2019, when it confirmed the theft of the data.

Compounding its error, Pearson sent notice to the affected users in July 2019 in which Pearson failed to inform the users that their usernames and passwords had been stolen. That same month, in Pearson’s semi-annual SEC filings, Pearson termed the incident a “hypothetical risk,” despite knowing that the breach had actually occurred. Later, in a media statement, Pearson said the breach “may have” included student birth dates and email addresses, and touted its “strict protections” for data privacy—all despite knowing that it failed to patch the software vulnerability for months.

It’s not difficult to deduce why the SEC charged Pearson with violating the antifraud provisions of Sections 17(a)(2) and (a)(3) of the Securities Act of 1933, the reporting provisions of Section 13(a) of the Securities Exchange Act of 1934, among other violations. Pearson offered, and the SEC accepted, to pay a civil monetary penalty of $1 million. Pearson also agreed to cease and desist from any further violations of Sections 17(a)(2) and (a)(3).

The SEC’s Order came just over one year after a federal judge in the United States District Court for the Northeastern District dismissed a putative class action against Pearson, finding that the putative plaintiffs lacked standing to sue Pearson for the theft of the student email addresses. The court noted in its Order that the email addresses were “not sensitive enough to materially increase the risk of identity theft,” and thus, that the plaintiff’s argument that the personal data had been diminished is “too speculative to confer standing.”

While standing issues may enable publicly traded companies may be able to avoid plaintiff class actions—for now—in certain jurisdictions, the SEC’s Order makes it clear that the SEC is monitoring disclosures of data breaches closely. The Pearson Order demonstrates the critical importance of accurate disclosures of data breaches, both internally within companies, and then externally to the public at large. Pearson’s will not be the last of these Orders.
Speaking Engagement March 4, 2024
Ryan J. Coyle speaks on the panel Stiff Winds, New Currents and Rough Seas: Navigating the Private Client World in Turbulent Times at the 29th Annual International Private Client Tax Conference. The panel discusses recent changes and salient topics in tax law in different jurisdictions, the use of a...
Publication November 30, 2023
Over the past decade, companies have increasingly turned to the collection of consumer personal data to help them better understand and adapt to the habits, preferences, and needs of consumers, engage in targeted marketing, and gain insight into the broader marketplace—that is, to better compe...
Speaking Engagement September 29, 2023
Melissa Pallett-Vasquez speaks on the panel Press Play to Continue: Navigating Legal Ethics in a Digital World at the ACC South Florida 13th Annual CLE Conference. The session focuses on the unique ethical issues brought on by technological changes in the legal field, particularly the increasing pre...