Just released: How to raise venture capital in 2023


Cyber 101: Data breach Notification Laws and Costs


Key Takeaways

Carl Niedbala - Founder Shield
Carl Niedbala

COO & Co-Founder

**This is a guest post by Scott Smedresman of Sorin Rand.**

Things are going great. Your startup is scaling, you’re collecting tons of data and starting to generate real revenue. You get press, start to gain prominence, and then, all of a sudden, it happens. You’re hacked. The personal information of your users is compromised. The press pounces. You have both a PR and legal nightmare on your hands.

This scenario is actually more common than you’d think. Much like with litigation, becoming a target is something of a sign of success – no one attacks a nobody (usually…). However, there are some obviously nasty side effects to prominence, among them is becoming a target for hackers.

So what to do when you suffer a breach?

There are a variety of guides available that go through the many steps involved in a comprehensive breach response, including internal investigation, potential law enforcement involvement, public relations strategies, notification procedures and remediation. Each of those topics could be a post in and of themselves.

Since I’m the lawyer, I’ll focus for the time being on a big legal obligation – breach notification. If you’ve truly suffered a serious breach, you usually have to tell your customers.

Believe it or not, there are currently no comprehensive national data breach notification laws. Instead, most states have their own laws about how to handle a breach involving customer data of residents of that state. Since almost every state has their own law, and a major breach likely involves data on users residing in most if not all states, your company could have to comply with 40+ data breach notification laws. Although similar, each one has its own flavor and requirements. Laws have been introduced in Congress to create a general national standard, but at the present, nothing has been passed. For the time being, this patchwork of state laws must be navigated.

Although each law is different, they commonly require notice to effected users, with the identification of certain types of information that has been exposed. The kicker is that many of these laws require written, non-email notice to the impacted users.

Could you imagine sending hard letters to all your users? You could have to. The alternatives to written notice are only permissible in certain cases, and even then, conspicuous public notice is required, sometimes even to “major statewide media”. That’s really how the laws are written.

In addition to notifications, there could be further consequences, and many breach incidents result in class action lawsuits.

So what to do? Be careful, but most of all, be prepared. If you are collecting reams of data, work with your CTO and come up with an internal plan identifying areas of risk and how to respond. If you can’t avoid being a target, at least put an action plan in place so you know what to do if you become a victim.



About the Author:

Scott Smedresman is a senior associate at SorinRand LLP, a law firm focusing its practice on representing startups, from pre-formation through exit, as well as the financial institutions, investors, directors and executives that support and lead them.

Scott concentrates his practice in corporate technology transactions and intellectual property-related matters, including license, development, collaboration, distribution, service, and maintenance agreements, as well as IP strategy, prosecution, enforcement, and infringement. He also advises clients on website and mobile application terms of use, privacy policies and end user licenses. He also litigates a variety of IP and IT disputes and has argued cases in federal and state courts, including before the Appellate Division of the State of New York. Scott was recognized as being among New Jersey’s Rising Stars of the legal profession for both 2013 and 2014, an honor that recognizes the top up-and-coming attorneys in the state.

Scott also serves as a legal advisor to the Media and Entertainment and Data, Analytics and Security working groups of the Application Developers Alliance, which include members from Google, Intel, Yahoo and CBS Interactive, among others.

Get in touch with Scott:

P: 732.737.7868

C: 201-803-0035

E: ssmedresman@sorinrand.com


Related Articles

cyber insurance pricing trends 2024
March 13 • Cyber Liability

Cyber Insurance Pricing Trends 2024

Uncertain about cyber insurance costs in 2024? Our article explores pricing trends, expert predictions on rate increases, and strategies to potentially reduce your cyber insurance premium.

cyber liability insurance premiums
March 4 • Cyber Liability

7 “Must Haves” For Cyber Liability Insurance in 2024

With cyber liability insurance premiums rising, business leaders must have the inside scoop to keep costs low. Our partners at Blacksmith InfoSec delve into those tips and tricks.

non-dilutive debt financing
January 30 • Guest Post

Elevating Your Company’s Valuation: The Power of Non-Dilutive Debt Financing

Unlock exponential growth without sacrificing equity in this guest post from Founders First Capital Partners. Explore the power of non-dilutive debt financing to elevate your company’s valuation and achieve financial freedom.

Cybersecurity Data Breaches
November 9 • Cyber Liability

Top 10 Cybersecurity Data Breaches of 2023

Today’s digital landscape is frightening for business leaders. Here’s a glimpse into some of the most cringe-worthy data breaches in 2023 — plus, how to avoid them.

Cyber Insurance Pricing Trends
July 19 • Cyber Liability

Cyber Insurance Pricing Trends 2023

After a hard-hit 2022, let’s explore the lessons learned, what currently impacts the cyber market, and cyber insurance pricing trends to expect in the future.

multi factor authentication
January 24 • Cyber Liability

Securing Your Company With Multi-Factor Authentication: A Complete Guide

Cybersecurity is a priority for most company leaders, with multi-factor authentication spearheading the endeavor. Here’s how to make it a reality in your organization.