Looking for advice on this situation. Client Database Hacked - What Are My Legal Notification Obligations? Any guidance would be greatly appreciated.
Details: I'm in a situation where I need to understand my legal options. Has anyone dealt with something similar?
Always have a written engagement letter that clearly defines scope, deliverables, timeline, and fees. It protects both sides and prevents 90% of professional disputes.
Always have a written engagement letter that clearly defines scope, deliverables, timeline, and fees. It protects both sides and prevents 90% of professional disputes.
Yeah always have a written engagement letter that clearly defines scope, deliverables, timeline, and fees. It protects both sides and prevents 90% of professional disputes 🤷.
Professional malpractice claims have shorter statutes of limitation than most people realize. In many states it's 1-2 years from discovery. Don't wait.
Always have a written engagement letter that clearly defines scope, deliverables, timeline, and fees. It protects both sides and prevents 90% of professional disputes.
Always have a written engagement letter that clearly defines scope, deliverables, timeline, and fees. It protects both sides and prevents 90% of professional disputes.
Fwiw professional malpractice claims have shorter statutes of limitation than most people realize. In many states it's 1-2 years from discovery. Don't wait.
Always have a written engagement letter that clearly defines scope, deliverables, timeline, and fees. It protects both sides and prevents 90% of professional disputes.
Update: Thanks everyone for the guidance. I consulted with an attorney and we're moving forward. The advice here helped me understand what questions to ask and what to expect. Will update when there's a resolution.
Critical point: all 50 states plus DC have data breach notification laws, and they all have DIFFERENT requirements. Timelines range from 30 to 90 days.
If you had clients in multiple states, you need to comply with each law separately. You absolutely need a privacy attorney for this.
I work in cybersecurity incident response and want to share the practical side of breach notification since the legal obligations are only half the battle. Every state has its own breach notification statute, and they differ substantially on timing, definitions of personal information, and notification methods. As of 2026, all 50 states plus DC, Puerto Rico, and the US Virgin Islands have breach notification laws.
The most aggressive timeline is currently in Florida, where SB 7040 requires notification within 30 days of determining a breach occurred. California (Cal. Civ. Code Section 1798.82) requires notification in the most expedient time possible and without unreasonable delay. In practice, California regulators interpret that as 45-60 days maximum, though there is no hard statutory deadline. Federal regulators under HIPAA require notification within 60 days if health data is involved.
Here is what most businesses miss: if you have customers in multiple states, you must comply with the strictest applicable law. A breach affecting customers in all 50 states means you effectively need to meet the shortest deadline and the broadest definition of protected information. This is why many companies default to notifying everyone within 30 days regardless of state.
Also critical: document your investigation timeline. If regulators or plaintiffs later argue that you delayed notification, you need to show exactly when you discovered the breach, when you confirmed it, and what steps you took in between. Engaging a forensics firm and outside counsel immediately creates a paper trail that demonstrates good faith. The attorney-client privilege may also protect your forensic investigation from discovery if structured correctly under the Kovel doctrine.
One final point -- do not forget about contractual notification obligations. Many B2B contracts contain breach notification clauses with timelines as short as 24-72 hours. Check your customer agreements before focusing exclusively on statutory requirements.
Important enforcement update for anyone following breach notification obligations: the FTC just announced a consent order against a mid-size SaaS company (250 employees, B2B platform) for failing to notify affected customers within a reasonable timeframe after discovering a breach. The company waited 97 days after confirming data exfiltration before sending notifications. The FTC imposed a $2.3 million penalty and a 20-year compliance monitoring requirement.
What makes this case notable is that the company argued it needed the additional time to complete its forensic investigation. The FTC rejected that argument, holding that the company had sufficient information to begin notifications within 30 days of confirming the breach, even if the full scope was still being determined. The FTC's position is that you should notify with what you know and supplement later, rather than waiting for a complete picture.
Additionally, Minnesota's new Consumer Data Privacy Act (effective July 2025) added a 60-day hard deadline for breach notifications, joining Florida (30 days), Colorado (30 days), and several other states with firm statutory deadlines. If your business has customers nationwide, the practical advice remains the same: aim for 30 days from confirmation and you will be in compliance with essentially every jurisdiction.
One more point on the contractual side that @nightshift_13 raised: I am seeing more enterprise contracts requiring 24-hour preliminary notification followed by a detailed notification within 72 hours. If your B2B agreements have these clauses and you miss them, you face both regulatory liability and breach of contract claims from your customers. Review your contracts now, not during an active incident.