A Sign of the Times in SEC Cyber Enforcement

by John F. Savarese and Wayne M. Carlin

Author Photographs

From left to right: John F. Savarese and Wayne M. Carlin. (Photos courtesy of Wachtell Lipton Rosen & Katz LLP)

The SEC announced on March 9 its most recent enforcement action against a public company arising from a cybersecurity breach. In the Matter of Blackbaud, Inc. Blackbaud settled without admitting or denying the SEC’s findings. The facts of this case illustrate yet again a theme we have sounded before: as in any corporate crisis, it is critical that companies dealing with cyber breaches take adequate steps to assure that their public statements are accurate. In addition, in this case, the SEC has delivered on its programmatic goal of raising the level of corporate penalty payments.

Blackbaud provides software that non-profit organizations use to manage data about their donors. On July 16, 2020, Blackbaud disclosed that it had discovered a ransomware attack, but also stated that the attacker did not access any donor bank account information or Social Security numbers. According to the SEC’s order, within a matter of days, Blackbaud’s technology and customer service personnel learned that the statement about access to sensitive information was erroneous. Nonetheless, those personnel failed to communicate that knowledge to senior management. As a result, not only did Blackbaud fail to correct the erroneous disclosure, but it also subsequently filed a Form 10-Q that failed to disclose that the attacker removed sensitive customer data. The SEC charged Blackbaud with negligence-based misrepresentations, as well as reporting violations and failure to maintain adequate disclosure controls.

The information necessary to avoid these violations existed within the organization. The by-now familiar lesson is that companies must implement procedures and controls sufficient to provide reasonable assurance that, in a crisis, senior management receives accurate and timely information, with material updates in real time. Any public statements must be carefully vetted for accuracy.

Finally, the SEC imposed a civil money penalty of $3 million in this settlement. This contrasts with the $1 million penalty that the SEC imposed in the very similar Pearson case in August 2021. While there can be many factors affecting the penalty amount in a given case, it is reasonable to conclude that we are seeing the SEC follow through on its well-publicized warnings that penalty amounts are going up.

John F. Savarese and Wayne M. Carlin are Partners at Wachtell, Lipton, Rosen & Katz. This post originally appeared as a client alert.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).

Share this post:

Share on PinterestShare on LinkedInShare on Reddit