On August 16, 2021, the Securities and Exchange Commission announced a $1 million settlement that it reached with Pearson plc, a London-based multinational educational publishing and services company, for allegedly making misleading statements to investors regarding a 2018 data breach.
In the settled order, the SEC alleges that Pearson suffered a data breach on March 21, 2019 and provided notice to affected customers, but failed to disclose the breach in a filed Form 6-K, improperly misrepresenting that it faced merely a “risk of a data privacy incident” – a statement that had remained unchanged from prior Forms 6-K that were previously filed. In addition, Pearson allegedly posted a misleading media statement to its website that allegedly omitted material information about the breach, including that several million rows of student data were compromised, the types of information compromised, and mischaracterized the incident as the exposure or “unauthorized access” of customer data, rather than the theft of data from its server.
Pearson was charged with violating Section 17(a)(2) and 17(a)(3) of the Securities Act of 1933, and Section 13(a) of the Securities Exchange Act of 1934 as well as Rules 12b-20, 13a-15(a), and 13a-16 thereunder. Under the settlement, without admitting or denying the allegations, Pearson agreed to pay a $1 million civil money penalty.