December 5, 2021

Volume XI, Number 339


December 03, 2021

Subscribe to Latest Legal News and Analysis

December 02, 2021

Subscribe to Latest Legal News and Analysis

Recent SEC Guidance and Upcoming Amendments to California and Illinois Statutes Affect Data Breach Disclosure Obligations

Recognizing that business entities now conduct a majority of their operations with the assistance of electronic programs and databases, and that a significant amount of business and personal information may be stored electronically in those systems, state legislatures and financial regulators are taking steps to identify the risks inherent in such computer-driven operations. Covered companies that are registered with the SEC and that collect or electronically store their clients' and employees' personal information run the risk of experiencing an unauthorized breach of that data by hacking, inadvertent dissemination, loss or theft of portable devices containing such information, or other unauthorized disclosure. If a data breach occurs, a covered company's responsibility to disseminate information about the breach may be broadened under the SEC's recent guidance.

SEC Releases Guidance Outlining Disclosure Obligations

On October 13, the Securities and Exchange Commission (SEC) released guidance[1] relating to a covered business entity's obligations to disclose cybersecurity risks and data breach incidents within SEC registrants' already-required SEC disclosures and filings. The SEC provided this guidance in an effort to instruct business entities on what situations call for disclosure of information about potential and/or actual data security breaches in public filings, and what amount of detail should be provided. 

Currently, 46 states plus the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted laws requiring companies to notify individuals within their jurisdiction if their personal information has been implicated in a data security breach incident. While each state's threshold requirements for notification vary, notification is typically required when information such as a person's Social Security number, driver's license number, or bank account number, in conjunction with other personal identifying information, has been or is "reasonably believed" to have been breached. While the new SEC guidance does not add any requirements to a company's state-by-state obligations to notify affected individuals in these situations, companies should consider the SEC's current position when considering whether similar disclosures about the breach must be included in SEC filings. 

In the event that a covered company experiences what the SEC terms a "material cyber attack," in the form of a data breach incident requiring notification, the SEC guidance indicates that the following factors associated with the breach may require disclosure in SEC-required filings:

  • Financial disclosures regarding the remediation costs incurred or expected to be incurred by the business entity. Such costs could include the costs of credit monitoring for affected individuals, costs of preparing and disseminating the data breach notifications, and costs associated with use of notification vendors.
  • Financial disclosures regarding the cost of a business entity's increased cybersecurity aimed at preventing future data breach incidents.
  • Financial disclosures regarding actual or potential loss in revenue due to reputational damage stemming from the data breach incident or actual revenue loss due to the effects of the data breach.
  • Legal disclosures regarding filed litigation stemming from the data breach, if the potential litigation would be material.

Additionally, if a business entity concludes that there is a risk of future cybersecurity/data breach incidents due to its systems not rigorously protecting data, the SEC guidance indicates that a business entity must disclose those facts if they make "investment in the company speculative or risky." 

The SEC guidance stops short of requiring registrants to modify or enhance the notifications and disclosures that are already mandated by each state's data breach statutes, in part because it is cognizant that "detailed disclosures could compromise cybersecurity efforts-for example, by providing a 'roadmap' for those who seek to infiltrate a registrant's network security." 

Nevertheless, the SEC guidance makes it clear that, in addition to compliance with state data breach notification requirements, various existing SEC requirements may necessitate additional disclosure of a data breach incident or its aftereffects in a business entity's public filings. Business entities must therefore not only follow the letter of each state's notification laws, but also consider whether and how each data breach incident should be disclosed in their regular public filings

California and Illinois Data Breach Requirements

In other news occurring in the data breach realm, California, the original data breach statute state, and Illinois have both amended their data breach statutes.

California's amendments, which go into effect on January 1, 2012, incorporate many of the recent developments in other states. In data breach situations where more than 500 people are affected, for example, California's statute will require companies to "electronically submit a single sample" of the notification letter to the state's attorney general, excluding any personally identifiable information. The new law amends the substitute notice provisions, and addresses the relationship with federal requirements for companies subject to HIPPA.

The California amendments also clarify that data breach notices to affected individuals must be written in "plain language" and include the following:

  • A general description of the breach
  • The name of and contact information for the reporting entity
  • The types of personal information that were "or are reasonably believed" to have been part of the breach
  • The date or estimated date of the breach, and the length of the breach
  • Whether notification was delayed by law enforcement
  • Toll-free telephone numbers and addresses of the credit reporting agencies (CRAs), only if the breach included Social Security numbers, driver's license numbers, or California ID card numbers

Illinois has also amended its data breach notification requirements, with the amendments likewise going into effect on January 1, 2012. Illinois's amendments also mainly concern the content of a data breach notification. The state will require data breach notifications to include the toll-free numbers and addresses for the CRAs and the Federal Trade Commission, as well as "statement that the individual can obtain information from these sources about fraud alerts and security freezes." Of note, the Illinois amendments specifically state that notifications to affected individuals shall not include the number of Illinois residents affected by the breach.


Companies regularly collect and store personal information from both their clients and their employees, creating a risk that this sensitive information could be inadvertently disclosed or accessed without authorization. In the case of a data breach, companies should not only be prepared to follow each state's requirements regarding notification and remediation of the breach and their contractual obligations to their customers, but also consider the implications of the breach upon their SEC filing requirements. These considerations should be included in a data breach incident response plan that the company follows if a breach occurs.

Copyright © 2021 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume I, Number 321

About this Author

Ron Dreben, intellectual property lawyer, Morgan Lewis

Ron N. Dreben advises clients on intellectual property and technology issues in business transactions. He provides advice in connection with mergers, acquisitions, and licensing arrangements, as well as trademark, copyright, trade secret, and related IP law. A Certified Information Privacy Professional (CIPP), Ron helps companies address privacy issues and respond to security breaches and advises US companies on the relevance of the EU Data Directive. Ron has experience negotiating with most of the leading technology product and service vendors.

W. Reece Hirsch, Morgan Lewis, Regulatory Attorney

W. Reece Hirsch counsels clients on healthcare regulatory and transactional matters and co-heads the firm’s privacy and cybersecurity practice. Representing healthcare organizations such as hospitals, health plans, insurers, physician organizations, healthcare information technology companies, and pharmaceutical and biotech companies, Reece advises clients on issues such as privacy, fraud and abuse, and self-referral issues. This includes healthcare-specific data privacy and security matters, such as compliance with the Health Insurance Portability and Accountability Act...

Kenneth Kliebard, Litigation attorney, Morgan Lewis

Co-leader of the firm’s financial services litigation practice, Kenneth M. Kliebard focuses on complex commercial disputes and defending class actions and financial services litigation in US federal and state courts. Ken also counsels clients on compliance with consumer protection laws and the nuanced rules and regulations issued by the Consumer Financial Protection Bureau (CFPB) and other agencies. He also represents clients in related regulatory and qui tam matters.

Gregory Parks, privacy and cybersecurity lawyer, Morgan Lewis

Gregory T. Parks counsels and defends retail companies and other consumer facing clients in matters related to privacy and cybersecurity, class actions and Attorney General actions, consumer protection laws, loyalty and gift card programs, retail operations, payment mechanisms, product liability, waste management, shoplifting prevention, compliance, antitrust, and commercial disputes. If it is important to a retail company, Greg makes it his business to know it. He handles all phases of litigation, trial, and appeal work arising from these and other areas. Greg is the co...