SEC charges marketing services company R.R. Donnelly & Sons with cybersecurity-related control violations

The Securities and Exchange Commission has charged R.R. Donnelley & Sons Company (RRD), a global provider of business communication and marketing services, agreed to pay over $2.1 million to settle disclosure and internal control failure charges relating to cybersecurity incidents and alerts in late 2021.

Here is a copy of the Order: https://www.sec.gov/files/litigation/admin/2024/34-100365.pdf

According to the Order, data integrity and confidentiality were critically important to RRD’s business. Because client data was stored on RRD’s network, its information security personnel and the third-party service provider RRD hired were responsible for monitoring the network’s security. However, according to the order, RRD failed to design effective disclosure controls and procedures to report relevant cybersecurity information to management with the responsibility for making disclosure decisions, and failed to carefully assess and respond to alerts of unusual activity in a timely manner. The order further finds that RRD failed to devise and maintain a system of cybersecurity-related internal accounting controls sufficient to provide reasonable assurances that access to RRD’s assets – its information technology systems and networks – was permitted only with management’s authorization.

The SEC’s order found that RRD violated Section 13(b)(2)(B) of the Securities Exchange Act of 1934 and Exchange Act Rule 13a-15a. Without admitting or denying the SEC’s findings, RRD agreed to cease and desist from committing violations of these provisions and to pay a $2,125,000 civil penalty. As described in the order, RRD cooperated throughout the investigation, including by reporting the cybersecurity incident to staff prior to filing a disclosure of the incident, by providing meaningful cooperation that helped expedite the staff’s investigation, and by voluntarily adopting new cybersecurity technology and controls.

The SEC and other agencies have imposed several significant fines on companies for cybersecurity violations and related disclosure failures over the past three years. Here are some of the notable fines:

Blackbaud Inc. (March 2023)

  • $3 million penalty for misleading disclosures about a 2020 ransomware attack that accessed sensitive donor data, including bank account information and social security numbers.
  • This was the SEC’s first enforcement action involving cybersecurity disclosure failures after a ransomware attack.

Pearson plc (August 2021)

  • $1 million penalty for misleading investors about a 2018 cyber intrusion that involved the theft of millions of student records.

First American Financial Corp. (June 2021)

  • $487,616 penalty for disclosure control deficiencies related to a cybersecurity vulnerability that exposed sensitive customer data.

2017 EQUIFAX

2017 saw Equifax lose the personal and financial information of nearly 150 million people due to an unpatched Apache Struts framework in one of its databases. The company had failed to fix a critical vulnerability months after a patch had been issued and then failed to inform the public of the breach for weeks after it been discovered. 

In July 2019 the credit agency agreed to pay $575 million — potentially rising to $700 million — in a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all 50 U.S. states and territories over the company’s “failure to take reasonable steps to secure its network.” 

$300 million of that will go to a fund providing affected consumers with credit monitoring services (another $125 million will be added if the initial payment is not enough to compensate consumers), $175 million will go to 48 states, the District of Columbia and Puerto Rico, and $100 million will go to the CFPB. The settlement also requires the company to obtain third-party assessments of its information security program every two years

Here is what Section `3(b)(2)(B) requires;

(2) Every issuer which has a class of securities registered pursuant to section 78l of this title and every issuer
which is required to file reports pursuant to section 78o(d) of this title shall—
(A) make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly
reflect the transactions and dispositions of the assets of the issuer;
(B) devise and maintain a system of internal accounting controls sufficient to provide reasonable
assurances that—
(i) transactions are executed in accordance with management’s general or specific
authorization;
(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in
conformity with generally accepted accounting principles or any other criteria applicable to such
statements, and (II) to maintain accountability for assets;
(iii) access to assets is permitted only in accordance with management’s general or specific
authorization; and
(iv) the recorded accountability for assets is compared with the existing assets at reasonable
intervals and appropriate action is taken with respect to any differences; and
(C) notwithstanding any other provision of law, pay the allocable share of such issuer of a reasonable
annual accounting support fee or fees, determined in accordance with section 7219 of this title.(5) No person shall knowingly circumvent or knowingly fail to implement a system of internal accounting
controls or knowingly falsify any book, record, or account described in paragraph (2).(6) Where an issuer which has a class of securities registered pursuant to section 78l of this title or an issuer
which is required to file reports pursuant to section 78o(d) of this title holds 50 per centum or less of the votingpower with respect to a domestic or foreign firm, the provisions of paragraph (2) require only that the issuerproceed in good faith to use its influence, to the extent reasonable under the issuer’s circumstances, to causesuch domestic or foreign firm to devise and maintain a system of internal accounting controls consistent withparagraph (2). Such circumstances include the relative degree of the issuer’s ownership of the domestic orforeign firm and the laws and practices governing the business operations of the country in which such firm islocated. An issuer which demonstrates good faith efforts to use such influence shall be conclusively presumedto have complied with the requirements of paragraph (2).(7) For the purpose of paragraph (2) of this subsection, the terms “reasonable assurances” and “reasonabledetail” mean such level of detail and degree of assurance as would satisfy prudent officials in the conduct oftheir own affairs.

Jeffrey Newman is a whistleblower lawyer, whose firm represents whistleblowers in healthcare fraud cases under the False Claims Act (FCA) and also under the Securities and Exchange, FINCEN and CFTC whistleblower programs. He can be reached at Jeff@JeffNewmanLaw.com or at 617-823-3217