A recent SEC settlement has again demonstrated the Commission’s continued attention to public companies’ disclosures of cybersecurity incidents and its commitment to a broad notion of what constitutes such an incident. On August 16, the SEC entered a settlement agreement with Pearson plc, a UK-based educational publishing company that is publicly traded on both the London Stock Exchange and New York Stock Exchange via ADRs. While Pearson made no admissions in the agreement, it will pay a $1 million civil penalty to settle the SEC’s allegations that Pearson misled investors in its disclosures related to a 2018 cybersecurity breach.
Five key aspects of this settlement merit attention from a cybersecurity perspective because they are arguably more aggressive than the practices that have developed under state data breach laws: