Beyond Materiality: Comparing the SEC’s Proposed Data Breach Notification Rules to Evolving State Notification Laws | Vinson & Elkins LLP


On March 9, 2022, the Securities and Exchange Commission (“SEC”) announced Proposed Rules on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure (“Proposed Rules”) to address concerns about increasing cybersecurity threats to publicly traded companies. The proposed rules would require listed companies to disclose material cybersecurity risks and incidents. The SEC stated that “materiality” for the purposes of the proposed rules was consistent with applicable case law and provided examples.

In a previous article, we discussed the SEC’s materiality standard that would apply under the new proposed cybersecurity incident disclosure rules. However, the SEC is not the only government agency that requires disclosure of cybersecurity breaches. All 50 states, DC, Puerto Rico, the Virgin Islands and Guam have data breach notification laws that require businesses (both public and private) to notify consumers (and sometimes state regulators) of data breaches that, in certain circumstances, involve personal information ( PII) relate to circumstances.

While a breach may trigger notification requirements under the SEC’s materiality framework and state laws, certain situations may require notification to one agency but not to the other.

Data breach reporting laws vary from state to state, but most share the following characteristics:

  • A definition of collected personal data that, when satisfied, triggers a notification. Typical definitions include
    • Surname,
    • Date of birth,
    • social security number,
    • Account information and information required for access (such as username and password) and
    • Biometric Information.
  • A definition of injury
  • Requirements on timing and content of notification to consumers and/or government authorities.

Several states provide exemptions from reporting requirements for:

  • Encrypted or redacted data,
  • Data that is already publicly available
  • Unauthorized access by an employee of the data owner acting in good faith and
  • Violations where there is no significant likelihood of harm to the individual.

In contrast, when determining materiality under the proposed rules, companies should assess the impact of an incident on their financial condition, operations or their relationship with customers. Organizations should consider both quantitative and qualitative factors and make materiality determinations based on the nature, magnitude and potential impact of an incident. For a more detailed discussion of materiality in the proposed rules, see What Makes a Cybersecurity Risk or Incident Material? A look at the SEC’s proposed cybersecurity rules.

While certain breaches may require notification under both SEC and state privacy standards, the two standards differ in significant ways.

Situations where the standards deviate

  • A breach may not trigger governmental data breach reporting requirements, but may still be material for purposes of securities laws. In the event of a PII violation, state privacy violation reporting laws apply. There are a variety of cybersecurity incidents that do not require reporting under government legislation, but still significantly affect the business. For example, an attacker could steal a company’s valuable trade secrets. This incident can significantly affect the company, even though there is no PII. Alternatively, an attacker could use wiper malware to wipe data on an organization’s system without stealing covert PII. In either case, the breach could be material to the business without triggering state breach notification laws.
  • A breach may trigger governmental data breach reporting requirements, but may be irrelevant for the purposes of securities laws. Consider a violation of a single user’s first name, last name, and date of birth. In certain states, breaching this information, even for a single account, would trigger reporting requirements.1 However, under securities laws, this breach may not be material. The potential economic impact may be small, especially given that name and date of birth information is often already available online.2 There may be similar situations where even usernames, passwords or social security numbers are already available online, either through legitimate data collection sites3 or as a result of past violations.4
  • The required notification schedule differs between state privacy laws and proposed SEC rules. State laws vary, but many require individuals to be notified “as soon as possible and without undue delay” or in any case no later than within a specified period of time after determining that a violation has occurred (often 30-45 days). will.5 The SEC’s proposed rules would require notification within four business days after a registrant determines that a breach has occurred.

The regulatory arena surrounding data security is becoming systematically more complicated. Organizations that interact with personal data should maintain a thorough understanding of breach reporting requirements and when to seek guidance. Vinson & Elkins monitors developments related to privacy laws in the United States and internationally.

1 See egWashington Rev. Code §19.255.010 et seq., §42.56.590.

2 Birth date information can be easily obtained from online commercial and non-commercial databases, including genealogy websites such as and FamilySearch.Org. Other sources are Intelius, BeenVerified and Spokeo.

3 The Radaris website advertises that their background reports may include social security numbers.

4 See generalCatalin Cimpanu, 127 million user records from 8 companies for sale on the Dark WebZDNet (02/14/2019),

5 See eg colo. Rev. Stat. § 6-1-716; Fla.Stat. § 501.171; 10 i. Rev. Stat. §§ 1346 et seq. (with 30-day time frame). See also Ala. Code §§ 8-38-1 to 8-38-12; arizona Rev. Stat. §§ 18-551 — 18-552; Md. Code Com. Law § 14-3504 et seq.; NM Stat. § 57-12C-6 (with 45 day time frame).


About Author

Comments are closed.