UK-based educational publisher Pearson has paid $1 million to settle Securities and Exchange Commission (SEC) charges that it misled investors about a 2018 cyberattack that involved the theft of millions of student records. However, experts say given the history of other litigation, the settlement could open the company up to securities lawsuits from pension funds and other institutional investors that owned Pearson stock during that period.
According to the SEC’s cease-and-desist order, Pearson made misleading statements and omissions about the 2018 data breach involving the theft of student data and administrator login credentials of 13,000 school, district, and university customer accounts. The order cited a July 2019 semiannual report in which Pearson referred to a data privacy incident as a hypothetical risk, even though the 2018 cyber intrusion had already occurred.
The SEC also said that Pearson stated in a July 2019 media statement that the breach “may” include dates of births and email addresses, when it knew that such records were in fact stolen. The regulator also chided Pearson for saying it had “strict data protections in place” in place, when it says the publisher failed to patch the critical vulnerability for six months after it was notified. The SEC also said Pearson’s media statement failed to mention that millions of rows of student data and usernames and hashed passwords (i.e., a password that has been scrambled) were stolen.
The order also found that Pearson’s disclosure controls and procedures were not designed to ensure that those responsible for making disclosure determinations were informed of certain information about the circumstances surrounding the breach.
Without admitting or denying the findings in the SEC’s order, Pearson agreed to cease and desist from committing violations of these provisions and to pay the civil penalty.
“Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, said in a statement. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”
The settlement could entice attorneys to take aim at Pearson and use the cease-and-desist order to bolster their case, legal experts say. The accusation that a company, and/or its executives made misleading statements to artificially inflate its stock price is a common thread in class action lawsuits led by institutional investors.
For example, early last year, Norwegian internet browser company Opera Limited was hit with a class action lawsuit that accused it of offering documents for its initial public offering (IPO) that contained “materially false and misleading statements” about the company’s business and operational and compliance policies.
Late last year, a US district judge approved a class action lawsuit against Apple led by UK-based Norfolk Pension Fund that accused CEO Tim Cook of misleading investors about declining demand for iPhones in China, which led to huge losses for investors.
And in 2018, the City of Warren Police and Fire Retirement System led a class action lawsuit against Hasbro that accused the toy company of misleading investors about its financial health to artificially inflate its stock price while its CEO and chief financial officer (CFO) sold $147 million in personal shares.