Know the hard timelines and content requirements before a breach lands in your lap. Balance compliance with human‑centered tone so notices inform, protect, and build trust.
For US public companies, when must a Form 8‑K under Item 1.05 be filed after determining a cybersecurity incident is material?
Within four business days of the materiality determination
Within seven calendar days of containment
After the full forensic report is finalized
Within 24 hours of initial detection
What core elements must Item 1.05 disclosures describe?
IP addresses of all affected systems
Nature, scope, timing, and material impacts or reasonably likely impacts
Exact malware family hash values
Names of every compromised individual
When can a company delay an Item 1.05 disclosure for national security or public safety?
If the company’s board votes for a delay
If insurers request more time
If the US Attorney General authorizes a delay after FBI coordination
If outside counsel advises silence
Under GDPR/UK GDPR, when must a supervisory authority be notified of a personal data breach?
Within 30 business days of detection
Only if more than 100,000 records are affected
Only after notifying every individual first
Without undue delay and where feasible within 72 hours of awareness
When are organisations required to inform affected individuals under GDPR/UK GDPR?
When the breach is likely to result in a high risk to their rights and freedoms
In all breaches regardless of risk
Only if regulators explicitly order it
Only after media outlets report it
Which tone guideline is most appropriate for consumer breach notices in 2025?
Dense legalese to avoid liability
Plain, empathetic language with actionable steps and support channels
Technical jargon that proves sophistication
Marketing copy focused on brand values
Which US sector‑specific rule expanded who must notify the FTC about certain health‑app breaches?
CAN‑SPAM commercial email rule
GLBA’s opt‑out marketing rule
The updated Health Breach Notification Rule covering health apps and connected devices
COPPA’s parental consent rule
What should an internal playbook do when the 8‑K clock starts but facts are incomplete?
Skip disclosure if impacts seem reputational only
Wait for full root‑cause confirmation
Publish speculative details to fill gaps
File what is known and amend promptly as more becomes available
What is one defensible way to balance legal precision with public reassurance in breach statements?
Separate investor 8‑K language from consumer notices tailored to practical harms
Use the same terse wording for all audiences
Avoid naming any remediation offers
Let vendors notify on your behalf without review
Which governance step best reduces scramble the day a disclosure is needed?
An informal chat channel with no owner
Pre‑approved templates with fields for timing, impact, and mitigation plus an AG‑delay decision tree
Waiting to create materials until after counsel is retained
A single generic press release kept on a shared drive
Starter
You know the clocks and basic content. Practice drafting plain‑language notices under time pressure.
Solid
Strong command of timelines and tone—work on amendment flows and multi‑audience alignment.
Expert!
Expert: your playbooks meet rules, protect people, and maintain trust.
