TheCorporateCounsel.net

This Wachtell memo says that the SEC’s recent settled enforcement action against Blackbaud provides a reminder to companies that when they communicate about a corporate crisis, their disclosure controls and procedures need to be sufficient to ensure that those communications are accurate. As this excerpt indicates, among other things, this requires companies to make sure that appropriate information about the facts on the ground is communicated to those making decisions about disclosure:

On July 16, 2020, Blackbaud disclosed that it had discovered a ransomware attack, but also stated that the attacker did not access any donor bank account information or Social Security numbers. According to the SEC’s order, within a matter of days, Blackbaud’s technology and customer service personnel learned that the statement about access to sensitive information was erroneous.

Nonetheless, those personnel failed to communicate that knowledge to senior management. As a result, not only did Blackbaud fail to correct the erroneous disclosure, but it also subsequently filed a Form 10-Q that failed to disclose that the attacker removed sensitive customer data. The SEC charged Blackbaud with negligence-based misrepresentations, as well as reporting violations and failure to maintain adequate disclosure controls.

The memo notes that the SEC imposed a $3 million civil penalty in this proceeding, and contrasts that with the $1 million penalty it imposed in a very similar 2021 proceeding involving Pearson. It suggests that it’s reasonable to assume that the SEC is acting on its well-publicized warnings that the penalties are going up.

– John Jenkins