InfoBytes Blog
SEC settles with company over data breach
On August 16, the SEC announced charges against a London-based educational publishing company for its role in allegedly misleading investors regarding a cyber breach that involved millions of student records and had inadequate disclosure controls and procedures in place. According to the SEC’s order, the company made material misstatements and omissions about a 2018 cyber intrusion that affected millions of rows of data across 13,000 school, district, and university customer accounts in the U.S. According to a 2019 report furnished to the Commission, the company’s risk factor disclosure implied that the company faced the hypothetical risk that a “data privacy incident” “could result in a major data privacy or confidentiality breach” but did not disclose that a data breach involving the company had previously taken place. In response to an inquiry by a media outlet, the company sent a breach notification to its affected customers and issued a previously prepared statement that included misstatements regarding the breach and data involved. The order found that the company failed “to maintain disclosure controls and procedures designed to analyze or assess such incidents for potential disclosure in the company’s filings.” The SEC charged the company with violating, among other things, Rule 13a-15(a) of the Securities Act, which requires every issuer to maintain disclosure controls and procedures, and Section 13(a) of the Exchange Act which requires “every foreign issuer of a security registered pursuant to Section 12 of the Exchange Act to furnish the Commission with periodic reports containing information that is accurate and not misleading.” The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of $1 million and provides that the company must cease and desist from committing or causing any future violations of the Securities Act and the Exchange Act.