Cyber 101: Data breach Notification Laws and Costs

Generic placeholder image
Carl Niedbala

COO & Co-Founder

**This is a guest post by Scott Smedresman of Sorin Rand.**

Things are going great. Your startup is scaling, you’re collecting tons of data and starting to generate real revenue. You get press, start to gain prominence, and then, all of a sudden, it happens. You’re hacked. The personal information of your users is compromised. The press pounces. You have both a PR and legal nightmare on your hands.

This scenario is actually more common than you’d think. Much like with litigation, becoming a target is something of a sign of success – no one attacks a nobody (usually…). However, there are some obviously nasty side effects to prominence, among them is becoming a target for hackers.

So what to do when you suffer a breach?

There are a variety of guides available that go through the many steps involved in a comprehensive breach response, including internal investigation, potential law enforcement involvement, public relations strategies, notification procedures and remediation. Each of those topics could be a post in and of themselves.

Since I’m the lawyer, I’ll focus for the time being on a big legal obligation – breach notification. If you’ve truly suffered a serious breach, you usually have to tell your customers.

Believe it or not, there are currently no comprehensive national data breach notification laws. Instead, most states have their own laws about how to handle a breach involving customer data of residents of that state. Since almost every state has their own law, and a major breach likely involves data on users residing in most if not all states, your company could have to comply with 40+ data breach notification laws. Although similar, each one has its own flavor and requirements. Laws have been introduced in Congress to create a general national standard, but at the present, nothing has been passed. For the time being, this patchwork of state laws must be navigated.

Although each law is different, they commonly require notice to effected users, with the identification of certain types of information that has been exposed. The kicker is that many of these laws require written, non-email notice to the impacted users.

Could you imagine sending hard letters to all your users? You could have to. The alternatives to written notice are only permissible in certain cases, and even then, conspicuous public notice is required, sometimes even to “major statewide media”. That’s really how the laws are written.

In addition to notifications, there could be further consequences, and many breach incidents result in class action lawsuits.

So what to do? Be careful, but most of all, be prepared. If you are collecting reams of data, work with your CTO and come up with an internal plan identifying areas of risk and how to respond. If you can’t avoid being a target, at least put an action plan in place so you know what to do if you become a victim.



About the Author:

Scott Smedresman is a senior associate at SorinRand LLP, a law firm focusing its practice on representing startups, from pre-formation through exit, as well as the financial institutions, investors, directors and executives that support and lead them.

Scott concentrates his practice in corporate technology transactions and intellectual property-related matters, including license, development, sms startup internships postcollaboration, distribution, service, and maintenance agreements, as well as IP strategy, prosecution, enforcement, and infringement. He also advises clients on website and mobile application terms of use, privacy policies and end user licenses. He also litigates a variety of IP and IT disputes and has argued cases in federal and state courts, including before the Appellate Division of the State of New York. Scott was recognized as being among New Jersey’s Rising Stars of the legal profession for both 2013 and 2014, an honor that recognizes the top up-and-coming attorneys in the state.

Scott also serves as a legal advisor to the Media and Entertainment and Data, Analytics and Security working groups of the Application Developers Alliance, which include members from Google, Intel, Yahoo and CBS Interactive, among others.

Get in touch with Scott:

P: 732.737.7868

C: 201-803-0035



Related Articles

April 10 • Cyber LiabilityRisk Management Tips

Top 5 Social Media Influencer Lawsuits

A social media influencer often reaches millions of people, raising the stakes for the mid-market companies who hire them. Here’s how these risks unfold.

September 30 • Cyber LiabilityErrors & Omissions

E&O Insurance Guide for Canadian Tech Companies

Canadian tech companies face unique exposures — but tech E&O insurance helps to mitigate risks. Here’s what you should know.

September 23 • Cyber LiabilityErrors & Omissions

Top 5 E&O and Cyber Claims for Canadian Tech Companies

Canadian tech companies face a slew of challenges — but five primary E&O and Cyber claims stick out. Here’s a look at these themes.

Why Startups Can’t Afford to Ignore Video Transcription, Captions, and Subtitles
August 24 • Guest Post

Why Startups Can’t Afford to Ignore Video Transcription, Captions, and Subtitles

Using video will help your business connect with clients in a meaningful way, but Luke explains it also presents some challenges.

protect from a data breach
August 18 • Cyber LiabilityRisk Management Tips

How to Protect Your Fast-Growing Business From a Data Breach

A cyberattack could devastate your fast-growing business quickly. With cybersecurity a real concern, here’s how to protect your mid-market business from a data breach.

June 15 • Guest Post

Translation Services: What Are the Benefits for Startups?

This is a guest post from Luke Palder who is the CEO over at, who are translation experts for academic, business, and literary translation for any language. A little-known business fact is that translation services are among the most profitable investments for startups. As professional translators, we know how much translation can help a