The Weekly Breach Breakdown Podcast by ITRC - Notice Me - S6E1

Show Transcript

Welcome back to the Identity Theft Resource Center’s (ITRC’s) Weekly Breach Breakdown, supported by Sentilink. I’m James E. Lee, the ITRC’s President. Yep – I got a promotion for Christmas. This is the first episode of season six of our weekly podcast that looks at the most recent events and trends related to data security and privacy. This is the podcast for Friday, January 10. Today, we will look at what’s been going on in the wild and whacky world of data breach notices. Okay, I exaggerated about latest news about data breaches being wild. Or whacky. However, there is some interesting news on two fronts – a change in New York’s data breach notice law and analysis from year one of the Security and Exchange Commission’s (SEC’s) cybersecurity disclosure rule.

First, New York has added significant changes to its data breach notice law by adding health and health insurance information to the list of items that can trigger a data breach. Also, Empire State lawmakers changed the amount of time a breached organization has to inform victims from “the most expedient time possible and without reasonable delay” to 30 days from the discovery of the breach. 

Thirty (30) days is certainly an improvement over “whenever,” but it’s still 27 days longer than the New York Department of Financial Services (DFS) gives companies it regulates to send breach notices. The latest change in the New York breach law requires the DFS to be notified of all breaches – not just by organizations regulated by the agency.

The other significant bit of news involves an analysis of the first year of the SEC’s new cybersecurity disclosure rule, which includes data breaches as well as cyberattacks. Under the rule adopted at the end of 2023, publicly traded companies have four days from determining if a cyber event is material to disclose the event and its impact on the company.

The idea behind the cybersecurity disclosure rule change was that investors needed to know about cyber events to make informed decisions about investing in a company and hold management accountable when they happen.

What happened? According to an analysis by the global law firm Paul Hastings, the number of cyber-related disclosures filed with the SEC increased by 60 percent in 2024. However, less than ten (10) percent of the disclosures included details about the cyber event and its impact. 

That’s consistent with the ITRC’s analysis of data breach notices issued in 2024. The number of breach notices was high. However, the amount of actionable information in the notices has steadily dropped since 2020.

One side effect of the SEC cybersecurity disclosure rule was that companies reported cyber events before they decided about materiality – which is the trigger set by the Commission. No material impact, no disclosure. With that said, companies were erring on the side of caution rather than being accused later by the SEC of misleading investors.

Data breach notices are problematic for various reasons, not the least of which is the lack of uniformity in state laws and federal regulations. It’s difficult to quantify if, and if so, how much the confusing matrix of requirements (or lack thereof) contributes to the steady rise of data breaches and cyberattacks.

That’s never stopped us at the ITRC from trying. At the end of this month, we’ll release the latest in our long-running series of annual reports on data breaches in the U.S. Our sister podcast, the Fraudian Slip, will focus on the report later this month when it is released on January 28.

Meanwhile, if you want to learn how to secure your personal or business information or how to avoid scams, speak with an expert ITRC advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PT Monday-Friday). Just visit www.idtheftcenter.org to get started. 

Thanks to Sentilink for their support of the ITRC and this podcast. Please hit the like button for this episode and subscribe wherever you listen to your podcasts. We will return next week with another episode of the Weekly Breach Breakdown.