The US has no single federal data breach notification law, just a growing patchwork of SEC rules, HIPAA, state obligations, and incoming CIRCIA requirements. Most organizations have the policies. Very few have tested whether the right people can apply them under pressure.
The US has no single federal data breach notification law. What it has instead is a patchwork: SEC materiality obligations for public companies, federal banking regulators, HIPAA for healthcare, and a growing stack of state laws (California, New York, Texas, Colorado, Connecticut, Virginia, and counting), each with their own timelines, definitions, and covered entities.
Most organizations have a written response to all of this. They have policies, procedures, incident response plans and attestations on file.
What they rarely have is confidence that any of it works under pressure.
The SEC’s cybersecurity disclosure rules, introduced in 2023, require public companies to report material cybersecurity incidents within four business days of determining materiality. Federal banking regulators carry their own notification obligations. Healthcare organizations operate under HIPAA. Critical infrastructure operators face the incoming requirements of CIRCIA.
State law is where the complexity compounds. All 50 states have breach notification requirements, and they don’t agree on much: the definition of personal information varies, notification timelines range from 30 days to “the most expedient time possible,” covered entities differ, and penalty structures are inconsistent. These rules move fast and are often pushed out without clear adoption paths or enforcement mechanisms.
The practical result is that most organizations know they have obligations. Far fewer know exactly what those obligations require of them in the first 96 hours of an incident, or who in their organization is responsible for meeting them.
This is the part that most cybersecurity content gets wrong.
When a breach disclosure situation unfolds at a public company, the decision-makers are generally Legal, Privacy, Compliance, and Enterprise Risk — not the security team. The CISO surfaces the technical facts. Determining materiality, advising the board, coordinating external counsel, and deciding what to disclose, to whom, and when? That’s owned by a cross-functional group that often hasn’t rehearsed together.
The SEC has made this explicit.
In 2024, Unisys was fined $4 million, not because they were breached, but because they had no formal procedures to escalate incidents to senior management, and their public disclosures didn’t reflect what they already knew. A compliance infrastructure failure, not a technical one.
The central question every organization faces in that moment is materiality. Was this incident significant enough to require disclosure? Can you defend that judgment if a regulator or plaintiff’s counsel asks you to justify it? Getting it wrong carries consequences in both directions – but the bigger risk, in our experience, isn’t the wrong answer. It’s that nobody in the room has the authority, the context, or the practice to give any answer confidently.
Most organizations have a policy position on materiality. Very few have tested whether the right people can apply it under pressure.
Breach disclosure compliance is assessed through documentation. Policies, procedures, attestations, incident response plans. No regulator runs a surprise drill to verify whether your Legal team, CISO, Communications lead, and board can coordinate a material incident disclosure in under 96 hours while navigating conflicting obligations.
The incentive structure demands paperwork. It does not demand proof of execution.
This matters more for state-level regulation, where enforcement is particularly uneven. State breach notification laws are frequently updated, penalties arrive through contract disputes or AG actions months or years later, and the lack of a clear forcing function means many organizations never discover whether their process actually works.
Until a real incident puts the plan under load, nobody knows. Finding out then is expensive.
Five questions. If your team can’t answer them cleanly without preparation, that’s the finding.
In our experience running breach scenario simulations, the answers to questions 1 and 3 expose the most significant gaps. Not because organizations haven’t thought about materiality – most have a policy position. But a policy position and a practiced judgment call under pressure are two different things. The first lives in a document. The second requires people who’ve been in the room together before the crisis hits.
A well-designed breach disclosure tabletop puts the right stakeholders (Legal, Privacy, Compliance, Enterprise Risk, Communications, and Security) through realistic regulatory tension: conflicting federal and state timelines, ambiguous thresholds, incomplete information at decision points. It walks the full chain from incident identification to public disclosure. And it surfaces the coordination failures while the stakes are low enough to fix them.
The distance between what your policy says and what your team can actually execute under pressure is almost always larger than expected. Finding that out in a controlled environment is the point. Finding it out in front of a regulator is not.
US data breach notification laws and the SEC’s cybersecurity disclosure rules aren’t going away. States will keep adding requirements. Federal obligations will keep evolving. None of that regulatory activity tells you whether your organization can actually respond.
Having the policy is the floor. Having a cross-functional team that’s walked through a breach disclosure scenario under real pressure, made the hard calls together, and identified the gaps – that’s a different thing entirely.
Most organizations have the fire evacuation plan posted on the wall. Very few have run the drill.
CovertSwarm helps organizations pressure-test their cyber resilience through continuous offensive security and targeted breach simulation exercises. If you want to know how your disclosure process actually holds up get in touch.