Correct Answer: A
Companies are not legally required to report all data breaches, as different jurisdictions have different rules and regulations regarding data breach notification. For example, in the European Union, the General Data Protection Regulation (GDPR) requires companies to report data breaches that pose a risk to the rights and freedoms of individuals within 72 hours of becoming aware of the breach. In the United States, there is no federal law that mandates data breach notification, but most states have their own laws that vary in terms of the definition, scope, and timing of data breach notification.
* B. No, not if the data is encrypted is not a correct answer, as encryption does not necessarily exempt companies from reporting data breaches. Encryption can reduce the risk and impact of data breaches, but it does not guarantee that the data is completely protected from unauthorized access or disclosure.
Depending on the jurisdiction and the type of data, companies may still have to report data breaches even if the data is encrypted.
* C. No, companies' codes of ethics don't require it is not a correct answer, as codes of ethics are not legal requirements, but rather voluntary principles and values that guide the conduct and behavior of companies and their employees. Codes of ethics may or may not include provisions for data breach notification, but they do not override the legal obligations of companies to report data breaches according to the applicable laws and regulations.
* D. No, only if the breach had a material impact is not a correct answer, as the materiality of the impact is not the only factor that determines whether companies have to report data breaches. The materiality of the impact may vary depending on the nature, scope, and context of the data breach, as well as the expectations and interests of the affected parties. Some jurisdictions may require companies to report data breaches regardless of the materiality of the impact, while others may have different thresholds or criteria for data breach notification.
References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 1, page 36; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 1, page 32