**This is a guest post by Scott Smedresman of Sorin Rand.**
Things are going great. Your startup is scaling, you’re collecting tons of data and starting to generate real revenue. You get press, start to gain prominence, and then, all of a sudden, it happens. You’re hacked. The personal information of your users is compromised. The press pounces. You have both a PR and legal nightmare on your hands.
This scenario is actually more common than you’d think. Much like with litigation, becoming a target is something of a sign of success – no one attacks a nobody (usually…). However, there are some obviously nasty side effects to prominence, among them is becoming a target for hackers.
So what to do when you suffer a breach?
There are a variety of guides available that go through the many steps involved in a comprehensive breach response, including internal investigation, potential law enforcement involvement, public relations strategies, notification procedures and remediation. Each of those topics could be a post in and of themselves.
Since I’m the lawyer, I’ll focus for the time being on a big legal obligation – breach notification. If you’ve truly suffered a serious breach, you usually have to tell your customers.
Believe it or not, there are currently no comprehensive national data breach notification laws. Instead, most states have their own laws about how to handle a breach involving customer data of residents of that state. Since almost every state has their own law, and a major breach likely involves data on users residing in most if not all states, your company could have to comply with 40+ data breach notification laws. Although similar, each one has its own flavor and requirements. Laws have been introduced in Congress to create a general national standard, but at the present, nothing has been passed. For the time being, this patchwork of state laws must be navigated.
Although each law is different, they commonly require notice to effected users, with the identification of certain types of information that has been exposed. The kicker is that many of these laws require written, non-email notice to the impacted users.
Could you imagine sending hard letters to all your users? You could have to. The alternatives to written notice are only permissible in certain cases, and even then, conspicuous public notice is required, sometimes even to “major statewide media”. That’s really how the laws are written.
In addition to notifications, there could be further consequences, and many breach incidents result in class action lawsuits.
So what to do? Be careful, but most of all, be prepared. If you are collecting reams of data, work with your CTO and come up with an internal plan identifying areas of risk and how to respond. If you can’t avoid being a target, at least put an action plan in place so you know what to do if you become a victim.
About the Author:
Scott Smedresman is a senior associate at SorinRand LLP, a law firm focusing its practice on representing startups, from pre-formation through exit, as well as the financial institutions, investors, directors and executives that support and lead them.
Scott also serves as a legal advisor to the Media and Entertainment and Data, Analytics and Security working groups of the Application Developers Alliance, which include members from Google, Intel, Yahoo and CBS Interactive, among others.
Get in touch with Scott: