The SEC filed an enforcement action against a company for disclosing the risk that it “could” have a data privacy breach when it knew it already had experienced a breach. The action also shows the importance of software patch management, which can significantly reduce the number of incidents.

On August 16, the Securities and Exchange Commission (SEC) announced a settlement with Pearson plc (Pearson), a London-based company that primarily provides educational publishing services to schools and universities, for making a misleading risk factor disclosure about data breaches. Pearson collected large volumes of student data and administrator log-in credentials, and learned in March 2019 that millions of rows of data had been stolen by a sophisticated threat actor. The company mailed a breach notice to customers in July 2019 but did not disclose the breach in its SEC filings. Instead, its next SEC filing included a statement that a data privacy incident was a risk that “could result” in a major breach.

The company received a media inquiry a few days later, and gave the reporter a statement the company had prepared months before. The statement said that the data breach “may” have involved certain types of information that the SEC asserts the company already knew were involved. The statement also referred to the incident as “unauthorized access” and “expos[ure of] data” instead of disclosing that data had been removed, and did not include all of the types of data at issue. The statement said that the company had strict protections in place, had fixed the issue, and had no evidence the information had been misused, even though it had failed to patch the vulnerability for six months and was using an outdated encryption algorithm.

(more…)