Various state laws require data breach notification and different state laws have different triggers for when notification is required and who must be notified. In California, for example, a breached company must give notice to each affected California resident, but the California AG need be notified only if the breach affected 500 or more individuals in California. In New York, on the other hand, AG notification is required if any NY residents were affected by the breach.
While all such laws generally address notification of affected parties, the AG, credit reporting agencies, other holders of the data, and certain other constituents, they are not the only word in disclosure requirements.
Indeed, in connection with the well-publicized Equifax data breach of 2017, the SEC took a close look at the disclosures made about the breach and inside stock trades around that time. It didn’t like what it saw and charged an Equifax executive with insider trading when it found he exercised all of his vested Equifax stock options and then sold the shares ahead of the announcement. The SEC got a final judgment against the executive, and he also pled guilty to criminal insider trading charges.
Investors, too, can find the basis for securities claims following data breaches. In connection with that same Equifax breach, a group of investors filed a securities class action claiming they were misled by disclosures (or the lack thereof) concerning Equifax’s data security protections (the breach providing evidence of the falseness of the disclosures) and the data breach itself. The case (In re Equifax Inc. Securities Litigation, N.D.Ga., 1:17-cv-03463-TWT) is still pending.
At the end of the day, it is key to consider data breaches holistically rather than focusing only on the specific requirements of the implicated notification laws. Could there be liability under false advertising law to the extent a company is claiming a certain level of data security without disclosing breaches that have occurred? What other laws could come into play with data breach disclosures?