Software Company Fined for Disclosure and Reporting Failures Following Data Breach

A software company that manages donor data for non-profit organizations settled SEC charges for (i) misleading its customers with inaccurate disclosures regarding the extent of a ransomware data breach and (ii) filing a related false report with the SEC.

According to the SEC Order, a ransomware attack was discovered by the software company on May 14, 2020 that compromised over 13,000 donors' records of sensitive information including social security numbers, bank account numbers and donation history. The SEC found that on July 16, 2020, the company posted on their website information about the ransomware attack for their donors but claimed that sensitive data had not been accessed through the attack. The SEC said that the company learned that certain of the donors' identifying data was, in fact, accessed. The SEC said the company leadership filed a Form 10-Q with the SEC in August, reporting that it had been the victim of a ransomware attack, but describing the theft of their donors' identifying data as "hypothetical."

As a result, the SEC found that the company violated Securities Act Sections 17(a)(2) and 17(a)(3) ("Fraudulent Interstate Transactions"), as well as Exchange Act Section 13(a) ("Periodical and other reports") and Rules 12b-20 ("Additional information"), 13a-13 ("Quarterly reports on Form 10-Q"), and 13a-15(a) ("Controls and procedures").

To settle charges, the software company agreed to (i) cease and desist from future violations and (ii) pay a $3 million civil money penalty.