Data Breach Lawsuits Surge in 2025: What Public Companies Must Know After SEC's New Cyber Disclosure Rules

Ramyar Daneshgar

Ramyar Daneshgar

4 min read

By Ramyar Daneshgar
Security Engineer | USC Viterbi School of Engineering

Looking for a security engineer? Visit SecurityEngineer.com

Disclaimer: This article is for educational purposes only and does not constitute legal advice.

Executive Summary

As of 2025, public companies face an evolved threat landscape: not just from cyber attackers, but from regulators and shareholders. The Securities and Exchange Commission (SEC) is actively enforcing its 2024 cyber disclosure rules, resulting in a new wave of class-action lawsuits, enforcement actions, and scrutiny against CISOs, board members, and legal departments. The risks now extend far beyond technical incident response and into securities fraud, director liability, and insider trading violations. This article offers a practical playbook for public companies to comply with the SEC's cyber rules and avoid litigation.

1. The New SEC Cyber Disclosure Rule: A Paradigm Shift

Under the SEC's rules adopted in July 2024, public companies must disclose material cybersecurity incidents on Form 8-K within four business days of determining materiality. They must also provide periodic updates on the impact and remediation in their 10-Q and 10-K filings. These rules are codified under Item 1.05 of Form 8-K and align with the SEC's broader push for transparency, investor protection, and governance accountability.

The rule fundamentally shifts how cyber incidents are managed:

  • Materiality assessments can no longer be delayed until full forensic results are in.
  • Delays for law enforcement coordination must be pre-approved by the U.S. Attorney General.
  • Public companies must also disclose cybersecurity governance practices annually.

2. What Triggers "Materiality" in a Cyber Incident?

Materiality is determined under the classic TSC Industries v. Northway standard: information is material if there is a substantial likelihood that a reasonable investor would consider it important.

Cyber-specific materiality indicators include:

  • Compromise of sensitive customer or business data (intellectual property, PII, PHI)
  • Disruption of core operations, cloud infrastructure, or supply chains
  • Legal or regulatory notification obligations (GDPR, HIPAA, GLBA)
  • Anticipated litigation or enforcement actions
  • Reputational damage, brand erosion, or customer attrition

Common mistake: Companies waiting for full impact assessments before disclosing. The rule requires timely disclosure once materiality is reasonably determined, not full confirmation.

3. Case Study: SEC v. SolarComm, Inc. (2025)

In a landmark case filed in March 2025, the SEC charged SolarComm, Inc. with violating Section 13(a) of the Exchange Act and Rule 13a-11 by failing to timely file a Form 8-K after a ransomware incident. Key facts:

  • SolarComm waited 16 days to file a breach disclosure.
  • The company cited ongoing forensic work, but internal Slack messages showed executives knew of the breach's impact within 36 hours.
  • Two executives sold stock during the delay.

The SEC issued a $12 million fine, and the DOJ opened a parallel investigation into insider trading. Multiple shareholder lawsuits followed.

Implication: Timing, transparency, and internal documentation are critical. Disclosure must be proactive and defensible.

The SEC rules expand both corporate and individual liability. Exposure vectors include:

  • SEC Enforcement: Failure to file or inaccurate filings may trigger enforcement under Rule 13a-15 (internal controls) and Rule 10b-5 (fraud).
  • Shareholder Litigation: Plaintiffs may allege breach of fiduciary duty for delayed or misleading disclosures.
  • DOJ Actions: Insider trading or obstruction of justice for concealment of breach information.
  • State AG Investigations: Many states (NY, CA) pursue companies that mislead consumers post-breach.
  • Whistleblower Complaints: Employees may file complaints if they believe material incidents were intentionally withheld.

CISOs are increasingly being named personally in complaints. Legal teams must implement role-specific safe harbor protocols and ensure incident timelines are recorded contemporaneously.

5. Proactive Controls for Defensible Cyber Disclosures

A. Materiality Assessment Framework

  • Develop a cross-functional "disclosure committee" (Legal, CISO, CFO, Investor Relations, Board rep).
  • Use a risk scoring model to evaluate materiality based on data sensitivity, system criticality, and stakeholder impact.
  • Maintain real-time incident logs to track decision points.

B. Disclosure Readiness and Template Language

  • Prepare pre-approved 8-K templates for ransomware, cloud outages, supply chain breaches, and credential leaks.
  • Draft disclosures to be legally precise: avoid speculative statements or minimization.

C. Insider Risk Controls

  • Implement trading blackout windows during incident investigations.
  • Maintain audit trails of internal access to incident data and communication threads.
  • Ensure forensic firms are retained through outside counsel to preserve privilege.
  • Document every materiality decision, even if no disclosure is made.

6. Cross-Regulatory Spillover

SEC disclosures often serve as a red flag for other regulators. Consider:

  • FTC: May pursue enforcement under deceptive practices if a breach is misrepresented publicly.
  • State Attorneys General: Will examine whether consumer notification laws were triggered.
  • GDPR Regulators: If EU data was impacted, SEC disclosure becomes evidence in an Article 33/34 review.
  • DOJ: Potential criminal liability for misstatements in federal filings.

Thus, every SEC cyber disclosure must be coordinated with broader regulatory strategy.

7. Board Governance and Director Oversight

Board members are not immune. The SEC now expects boards to:

  • Oversee cybersecurity risk as part of enterprise risk management.
  • Receive periodic briefings on data protection posture and incident response readiness.
  • Ensure the company has a disclosure control policy that covers cyber risk.

Board minutes, committee charters, and director training records may all become discoverable during investigations or litigation.

Conclusion

The post-breach legal landscape in 2025 is unforgiving. Under the SEC's disclosure regime, companies are judged not only by how they secure their infrastructure but also by how they communicate failure. Legal and security teams must coordinate seamlessly to ensure that disclosures are accurate, timely, and defensible. Doing so not only limits regulatory exposure, but also builds investor and customer trust in the aftermath of a breach.

Need Help?

CybersecurityAttorney.com connects you to top legal guidance in breach response, data privacy, and cybersecurity compliance. 👉 Hire A Cybersecurity Attorney

Read more

The Billion-Dollar Breach Vector: How Misconfigured Email Security Can Land You in Court

By Ramyar Daneshgar Security Engineer | USC Viterbi School of Engineering Looking for a security engineer? Visit SecurityEngineer.com Disclaimer: This article is for educational purposes only and does not constitute legal advice. Executive Summary Business Email Compromise (BEC) is among the most financially damaging cybercrimes globally, exploiting weak email configurations,

By Ramyar Daneshgar