The Securities Exchange Commission Enacts New Data Breach Requirements
The SEC entered into a settlement agreement with Pearson PLC (“Pearson”), an educational publishing company[1] emanating from a data breach suffered by Pearson. In the agreement, the Commission found that Pearson “made material misstatements and omissions regarding a 2018 cyber intrusion.” The 2018 breach encompassed a large amount of data with the intrusion affecting millions of rows of data across 13,000 customer accounts.
On March 21, 2019, Pearson learned that a sophisticated cyber attacker had been able to access and download millions of rows of data through an unpatched vulnerability. However, over 4 months later the company reported to the Commission that it could face a “major data privacy or confidentiality breach” when it, in fact, had already suffered such a breach.
Finally on July 31, 2019, Pearson posted a statement on their website regarding the breach, which came in response to a media inquiry. This post was a primary source of the SEC’s enforcement against Pearson, where the determined this statement was false in several respects and thus a violation of the Securities Act. Specifically, the SEC found:
- The threat actor had downloaded the data, which Pearson falsely described as “unauthorized access” and “exposure of data.”
- Pearson reported the impacted data was limited to “first name, last name, and in some instances may include date of birth and/or email address,” when, in fact, the data also involved usernames and hashed passwords.
- Pearson reported the data “in some instances may have included” emails when they knew over 290,000 rows did contain email addresses.
- Finally, Pearson included in its statement that, “Protecting our customers’ information is of critical importance to us. We have strict data protections in place and have reviewed this incident, found and fixed the vulnerability”, when, in fact, the attack was based on a vulnerability which remained unpatched for six months, and Pearson used an outdated hash algorithm.
The settlement is significant in several respects, most notably because the standard applied by the SEC appears to be heightened from state data breach laws. In particular, email addresses in the absence of a clear-text password and dates of birth are not normally defined as personally identifiable information under state data breach statutes. Furthermore, hashed passwords, even with an outdated algorithm, are commonly exempt from data breach notification statutes.
The SEC has effectively put publicly traded businesses on notice that the information required by a cyber-breach notification must include a complete and accurate description beyond what may be required under state data breach notification laws.