Looking for advice on this situation. Client Database Hacked - What Are My Legal Notification Obligations? Any guidance would be greatly appreciated.
Details: I'm in a situation where I need to understand my legal options. Has anyone dealt with something similar?
Always have a written engagement letter that clearly defines scope, deliverables, timeline, and fees. It protects both sides and prevents 90% of professional disputes.
Always have a written engagement letter that clearly defines scope, deliverables, timeline, and fees. It protects both sides and prevents 90% of professional disputes.
Always have a written engagement letter that clearly defines scope, deliverables, timeline, and fees. It protects both sides and prevents 90% of professional disputes.
Professional malpractice claims have shorter statutes of limitation than most people realize. In many states it's 1-2 years from discovery. Don't wait.
Always have a written engagement letter that clearly defines scope, deliverables, timeline, and fees. It protects both sides and prevents 90% of professional disputes.
Always have a written engagement letter that clearly defines scope, deliverables, timeline, and fees. It protects both sides and prevents 90% of professional disputes.
Professional malpractice claims have shorter statutes of limitation than most people realize. In many states it's 1-2 years from discovery. Don't wait.
Always have a written engagement letter that clearly defines scope, deliverables, timeline, and fees. It protects both sides and prevents 90% of professional disputes.
Update: Thanks everyone for the guidance. I consulted with an attorney and we're moving forward. The advice here helped me understand what questions to ask and what to expect. Will update when there's a resolution.
Critical point: all 50 states plus DC have data breach notification laws, and they all have DIFFERENT requirements. Timelines range from 30 to 90 days.
If you had clients in multiple states, you need to comply with each law separately. You absolutely need a privacy attorney for this.
I work in cybersecurity incident response and want to share the practical side of breach notification since the legal obligations are only half the battle. Every state has its own breach notification statute, and they differ substantially on timing, definitions of personal information, and notification methods. As of 2026, all 50 states plus DC, Puerto Rico, and the US Virgin Islands have breach notification laws.
The most aggressive timeline is currently in Florida, where SB 7040 requires notification within 30 days of determining a breach occurred. California (Cal. Civ. Code Section 1798.82) requires notification in the most expedient time possible and without unreasonable delay. In practice, California regulators interpret that as 45-60 days maximum, though there is no hard statutory deadline. Federal regulators under HIPAA require notification within 60 days if health data is involved.
Here is what most businesses miss: if you have customers in multiple states, you must comply with the strictest applicable law. A breach affecting customers in all 50 states means you effectively need to meet the shortest deadline and the broadest definition of protected information. This is why many companies default to notifying everyone within 30 days regardless of state.
Also critical: document your investigation timeline. If regulators or plaintiffs later argue that you delayed notification, you need to show exactly when you discovered the breach, when you confirmed it, and what steps you took in between. Engaging a forensics firm and outside counsel immediately creates a paper trail that demonstrates good faith. The attorney-client privilege may also protect your forensic investigation from discovery if structured correctly under the Kovel doctrine.
One final point -- do not forget about contractual notification obligations. Many B2B contracts contain breach notification clauses with timelines as short as 24-72 hours. Check your customer agreements before focusing exclusively on statutory requirements.