Beyond Materiality: Comparing The SEC’s Proposed Data Breach Notification Rules with Evolving State Notification Laws

In a past article, we discussed the SEC’s materiality standard, which under its new Proposed Rules would apply to the disclosure of cybersecurity incidents. However, the SEC is not the only governmental entity that requires disclosure of cybersecurity breaches. All 50 states, D.C., Puerto Rico, the Virgin Islands and Guam have data breach notifications laws requiring businesses (both public and private) to notify consumers (and sometimes state regulators) of data breaches involving personally identifiable information (“PII”) under certain circumstances.

While a breach might trigger notification requirements under the SEC’s materiality framework and state law, in certain situations, notification may be required under one authority but not the other.

Data breach notifications laws vary from state to state, but most share the following characteristics:

• A definition of covered personally identifiable information, that if met, triggers notification. Typical definitions include
  •  name,
  • date of birth,
  • Social Security number,
  • account information plus information required for access (such as username and password) and
  • biometric information.
• A definition of breach
• Requirements for the timing and content of notification to consumers and/or state government agencies.

Several states include exceptions to the notification requirement for:

• Encrypted or redacted data,
• Data that is already publicly available,
• Unauthorized access by an employee of the data holder acting in good faith and
• Breaches for which there is no substantial likelihood of harm to the individual.

In contrast, when determining materiality under the Proposed Rules, companies should evaluate the impact of an incident on its financial position, operation, or relationship with customers. Companies should consider both quantitative and qualitative factors, making materiality determinations based on an incident’s nature, extent and potential magnitude for harm. For a fuller discussion of materiality in the Proposed Rules, see What Makes a Cybersecurity Risk or Incident Material? A Look at the SEC’s Proposed Rules on Cybersecurity.

While certain breaches may require notification under both SEC and state data breach notification law standards, the two standards diverge in substantial ways.

Situations in Which the Standards Diverge

• A breach may not trigger state data breach notification obligations, but may still be material for the purposes of securities laws. State data breach notification laws apply to breaches of PII. There are a wide variety of cybersecurity incidents that do not require notification under state legislation, but which still materially affect the company. For example, a threat actor might steal a company’s valuable trade secrets. This incident may materially affect the company, despite there being no PII Alternatively, a threat actor might use wiper malware to delete data on a company’s system, without stealing covered PII. In both these cases, the breach could be material to the company without triggering state data breach notification laws.
• A breach may trigger state data breach notification obligations but may be immaterial for the purposes of securities laws. Consider a breach of a single user’s first name, last name, and date of birth. In certain states, the breach of that information, even for a single account, would trigger the notification requirement.¹ But, under securities laws, that same breach might not be material. The potential economic impact may be low, especially given that name and date of birth information is often already available online.² There may be similar situations where even usernames, passwords or Social Security numbers may already be available online, either through legal data collection sites³ or as a result of past breaches.⁴
• The required notification timeline differs between state data breach laws and the SEC Proposed Rules. State laws vary, but many require notice to individuals “as expeditiously as possible and without unreasonable delay,” or in any case no later than a set time period after the determination that a breach occurred (often 30–45 days).⁵ The SEC Proposed Rules would require notification within four business days after a registrant has determined that a breach occurred.

The regulatory arena surrounding data security is becoming systematically more complicated. Companies that interact with PII should maintain a high-level understanding of breach notification obligations and know when to seek guidance. Vinson & Elkins tracks developments related to data privacy laws in the United States and internationally.

¹ See, e.g., Wash. Rev. Code § 19.255.010 et seq., § 42.56.590.

² Date of birth information can be obtained from commercial and non-commercial online databases easily including genealogy sites such as Ancestry.com and FamilySearch.Org. Other sources include Intelius, BeenVerified, and Spokeo.

³ The Radaris website advertises that its background reports may include Social Security numbers.

⁴ See generally, Catalin Cimpanu, 127 million user records from 8 companies put up for sale on the dark web, ZDNet (Feb. 14, 2019), https://www.zdnet.com/article/127-million-user-records-from-8-companies-put-up-for-sale-on-the-dark-web/.

⁵ See, e.g., Colo. Rev. Stat. § 6-1-716; Fla. Stat. § 501.171; 10 Me. Rev. Stat. § 1346 et seq. (with  30-day timeframes).  See also Ala. Code §§ 8-38-1 to 8-38-12; Ariz. Rev. Stat. § 18-551 — 18-552; Md. Code Com. Law § 14-3504 et seq.; N.M. Stat. § 57-12C-6 (with 45-day timeframes).