ARTICLE
18 August 2021

UK Education Company Settles SEC Charges For Misleading Disclosures Concerning Cyberattack

CW
Cadwalader, Wickersham & Taft LLP

Contributor

Cadwalader, Wickersham & Taft LLP logo
Cadwalader, established in 1792, serves a diverse client base, including many of the world's leading financial institutions, funds and corporations. With offices in the United States and Europe, Cadwalader offers legal representation in antitrust, banking, corporate finance, corporate governance, executive compensation, financial restructuring, intellectual property, litigation, mergers and acquisitions, private equity, private wealth, real estate, regulation, securitization, structured finance, tax and white collar defense.
Explore Firm Details
A London-based educational services public company settled SEC charges for misleading investors about a major data privacy and confidentiality breach in 2018.
United States Corporate/Commercial Law
Cadwalader, Wickersham & Taft LLP
Your Author LinkedIn Connections

A London-based educational services public company settled SEC charges for misleading investors about a major data privacy and confidentiality breach in 2018. The cyberattack led to millions of student records being stolen. The settlement also covered charges that the company failed to maintain controls designed to assess such incidents for potential disclosure in the company's semiannual Form 6-K filings.

The sophisticated 2018 cyberattack resulted in the exfiltration of (i) 11.5 million rows of student data, including names, dates of birth and email addresses and (ii) the usernames and passwords of school district personnel. In its Order, the SEC found that the company referred to a data privacy incident as a hypothetical risk in the 2019 6-K, despite the fact that it had already been the victim of the 2018 cyberattack. The SEC also found that the company made misleading media statements about the attack, including (i) that the breach "may" have included email addresses and birth dates, when the company knew this specific information had been stolen, and (ii) that the company had protections in place, despite the fact that the company had failed to address the vulnerability that allowed the bad actor to gain access for six months after gaining knowledge of the issue. The SEC also found that the company's statements about the incident omitted that school administrators' login credentials and millions of rows of student data were exfiltrated.

As a result of its findings, the SEC determined that the company violated provisions of Section 17(a) ("Use of interstate commerce for purpose of fraud or deceit") of the Securities Act, Section 13(a) ("Reports by issuer of security; contents") of the Exchange Act and SEA Rules 12b-20 ("Additional information"), 13a-15 ("Controls and procedures") and 13a-16 ("Reports of foreign private issuers on Form 6-K").

To settle the charges, the company agreed to (i) cease and desist from future violations and (ii) a $1 million civil money penalty.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Cadwalader, Wickersham & Taft LLP
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More