Sullivan & Cromwell Discusses SEC Case on Misleading Disclosure of Cybersecurity Incident

On August 16, 2021, the SEC charged Pearson plc with misleading investors and failing to maintain adequate disclosure controls and procedures in connection with a cybersecurity incident. According to the SEC’s order, Pearson learned in March 2019 about an intrusion involving the exfiltration of millions of rows of student data, including names and some birthdates and email addresses, as well as usernames and hashed passwords for school personnel. In July 2019, a periodic filing characterized data privacy incidents as an ongoing risk factor but failed to disclose that such an incident—and one characterized by the Order as “material”—had actually occurred. … Read more