In a past article, we discussed the SEC’s materiality standard, which under its new Proposed Rules would apply to the disclosure of cybersecurity incidents. However, the SEC is not the only governmental entity that requires disclosure of cybersecurity breaches. All 50 states, D.C., Puerto Rico, the Virgin Islands and Guam have data breach notifications laws requiring businesses (both public and private) to notify consumers (and sometimes state regulators) of data breaches involving personally identifiable information under certain circumstances. While a breach might trigger notification requirements under the SEC’s materiality framework and state law, in certain situations, notification may be required under one authority but not the other.
Source:
