discovered yesterday that a third-party support tool we use was breached and attackers may have gotten access to ~2,400 of our customer records. names, emails, encrypted passwords. no payment info. customers are mostly US-based with some EU. who do i need to notify and on what timeline?
state breach notification laws vary. CA requires notice "in the most expedient time possible and without unreasonable delay." some states have specific 30/60/90 day deadlines. EU GDPR requires notice within 72 hours of becoming aware.
if no PII tied to financial data and passwords are properly encrypted, you may have a "safe harbor" defense in some states. but err on the side of notification.
get cyber insurance involved IMMEDIATELY if you have a policy. they have panel counsel and forensics they'll deploy. better than rolling your own response.
I'm Sergei Tokmakov, California attorney (Bar #279869). Breach response is high-stakes. Quick framework:
(1) Engage forensics immediately to determine scope. (2) Engage privacy counsel — every state has its own statute and notice requirements vary. (3) Determine which residency states are affected (each state's law applies). (4) Notify EU residents within 72 hours under GDPR Art 33. (5) Notify your cyber insurance carrier. (6) Document the timeline of discovery, mitigation steps, and notification.
For 2,400 records with email + encrypted passwords, most state attorneys general expect notice but rarely take enforcement action absent further harm. Customer notification is the bigger PR/customer-trust issue. Be transparent, be fast, offer credit monitoring even if not strictly required. Informational only.