Cyber 101: Data breach Notification Laws and Costs

Generic placeholder image
Carl Niedbala

COO & Co-Founder

**This is a guest post by Scott Smedresman of Sorin Rand.**

Things are going great. Your startup is scaling, you’re collecting tons of data and starting to generate real revenue. You get press, start to gain prominence, and then, all of a sudden, it happens. You’re hacked. The personal information of your users is compromised. The press pounces. You have both a PR and legal nightmare on your hands.

This scenario is actually more common than you’d think. Much like with litigation, becoming a target is something of a sign of success – no one attacks a nobody (usually…). However, there are some obviously nasty side effects to prominence, among them is becoming a target for hackers.

So what to do when you suffer a breach?

There are a variety of guides available that go through the many steps involved in a comprehensive breach response, including internal investigation, potential law enforcement involvement, public relations strategies, notification procedures and remediation. Each of those topics could be a post in and of themselves.

Since I’m the lawyer, I’ll focus for the time being on a big legal obligation – breach notification. If you’ve truly suffered a serious breach, you usually have to tell your customers.

Believe it or not, there are currently no comprehensive national data breach notification laws. Instead, most states have their own laws about how to handle a breach involving customer data of residents of that state. Since almost every state has their own law, and a major breach likely involves data on users residing in most if not all states, your company could have to comply with 40+ data breach notification laws. Although similar, each one has its own flavor and requirements. Laws have been introduced in Congress to create a general national standard, but at the present, nothing has been passed. For the time being, this patchwork of state laws must be navigated.

Although each law is different, they commonly require notice to effected users, with the identification of certain types of information that has been exposed. The kicker is that many of these laws require written, non-email notice to the impacted users.

Could you imagine sending hard letters to all your users? You could have to. The alternatives to written notice are only permissible in certain cases, and even then, conspicuous public notice is required, sometimes even to “major statewide media”. That’s really how the laws are written.

In addition to notifications, there could be further consequences, and many breach incidents result in class action lawsuits.

So what to do? Be careful, but most of all, be prepared. If you are collecting reams of data, work with your CTO and come up with an internal plan identifying areas of risk and how to respond. If you can’t avoid being a target, at least put an action plan in place so you know what to do if you become a victim.



About the Author:

Scott Smedresman is a senior associate at SorinRand LLP, a law firm focusing its practice on representing startups, from pre-formation through exit, as well as the financial institutions, investors, directors and executives that support and lead them.

Scott concentrates his practice in corporate technology transactions and intellectual property-related matters, including license, development, sms startup internships postcollaboration, distribution, service, and maintenance agreements, as well as IP strategy, prosecution, enforcement, and infringement. He also advises clients on website and mobile application terms of use, privacy policies and end user licenses. He also litigates a variety of IP and IT disputes and has argued cases in federal and state courts, including before the Appellate Division of the State of New York. Scott was recognized as being among New Jersey’s Rising Stars of the legal profession for both 2013 and 2014, an honor that recognizes the top up-and-coming attorneys in the state.

Scott also serves as a legal advisor to the Media and Entertainment and Data, Analytics and Security working groups of the Application Developers Alliance, which include members from Google, Intel, Yahoo and CBS Interactive, among others.

Get in touch with Scott:

P: 732.737.7868

C: 201-803-0035



Related Articles

ransomware manufactures
August 3 • Cyber LiabilityRisk Management Tips

Ransomware Insights: Why Hackers Are Targeting Manufacturers

With ransomware attacks on the rise, why are manufacturers taking the brunt of it? Here’s our take on the situation, along with helpful tips.

July 27 • Cyber Liability

Rise of Ransomware: How to Protect Your Business

Ransomware has been on the rise for several years, with 2020 making the biggest impact. Here’s the scoop on this cybercrime and what mid-market and small businesses can expect.

June 29 • Cyber Liability

How Does Your Cybersecurity Measure Up in 2021?

Small businesses and late-stage companies face unique challenges this year. Can your cybersecurity fend off all that 2020 delivered?

April 10 • Cyber LiabilityRisk Management Tips

Top 5 Social Media Influencer Lawsuits

A social media influencer often reaches millions of people, raising the stakes for the mid-market companies who hire them. Here’s how these risks unfold.

September 30 • Cyber LiabilityErrors & Omissions

E&O Insurance Guide for Canadian Tech Companies

Canadian tech companies face unique exposures — but tech E&O insurance helps to mitigate risks. Here’s what you should know.

September 23 • Cyber LiabilityErrors & Omissions

Top 5 E&O and Cyber Claims for Canadian Tech Companies

Canadian tech companies face a slew of challenges — but five primary E&O and Cyber claims stick out. Here’s a look at these themes.