More than a decade ago, I expressed concern when the Securities and Exchange Commission charged Koss Corporation and one its CEO, Mr. Koss, with filing materially false financial statements after the corporation had discovered that it had been the victim of employee embezzlement. In the post, I decried the SEC’s decision to punish the victims of crime:
The SEC’s decision to prosecute this case is troubling. Surely, neither Koss Corporation nor Mr. Koss intended or wanted to be the victim of a criminal embezzlement. It is also hard to see how the shareholders’ benefited from the company incurring the legal costs associated with defending and settling the SEC investigation. While the SEC did force the return of bonus compensation, the injunctive relief ordering the company and Mr. Koss not to do this again strikes me as silly. Does it really make sense for the court to order a company not to be the victim of a theft?
I was therefore heartened by the recent statement by Commissioners Hester Peirce and Mark Uyeda on the SEC’s recent settlement of administrative proceeding against R.R. Donnelly & Sons, Co.:
Also concerning is the Commission’s decision to stretch the law to punish a company that was the victim of a cyberattack. While an enforcement action may be warranted in some circumstances, distorting a statutory provision to form the basis for such an action inappropriately amplifies a company’s harm from a cyberattack.
According to the SEC’s press release, R.R. Donnelly & Sons, Co. “cooperated throughout the investigation, including by reporting the cybersecurity incident to staff prior to filing a disclosure of the incident, by providing meaningful cooperation that helped expedite the staff’s investigation, and by voluntarily adopting new cybersecurity technology and controls”. Nonetheless, the SEC thought a just resolution required payment of a $2.125 million civil penalty for transfer to the U.S. Treasury. I remain unconvinced that the expropriation of millions of dollars from a crime victim to the U.S. Treasury protects, much less helps, the shareholders of R.R. Donnelly & Sons, Co.