Yesterday we discovered someone accessed our database through a misconfigured S3 bucket. We have about 15,000 users, mostly US but some EU. The exposed data includes emails, hashed passwords, and for some users, shipping addresses.
We've locked down the bucket but have no idea how long it was exposed. Could be weeks. What do we legally have to do now? Do we need lawyers immediately?
@cubicle_rebel_1 - the AI training data point is so real. We had a situation where an employee fed customer data into ChatGPT for summarization. Technically that data left our systems and went to OpenAI. Does that count as a breach? The legal guidance is murky at best.
Our current policy is to treat any unintentional exposure to AI systems as a potential incident requiring investigation. Better safe than sorry given how unclear the regulatory environment is.
Wanted to flag a practical compliance issue that came up in our latest tabletop exercise: the interaction between state breach notification laws and the new federal CIRCIA reporting requirements. For companies in critical infrastructure sectors (which is broadly defined and includes cloud services, financial services, healthcare, and energy), CISA's final rule requires reporting significant cyber incidents within 72 hours and ransomware payments within 24 hours.
The tricky part is that CIRCIA reporting to CISA is separate from and in addition to state breach notification obligations. You could theoretically have to notify CISA within 72 hours, the SEC within 4 business days (if public), affected individuals within 30-60 days depending on state law, and your contractual counterparties within 24-72 hours. These are all different reports with different content requirements going to different recipients on different timelines.
My recommendation based on handling three breach responses this year: build a notification matrix now, before you have an incident. Map every reporting obligation by trigger, timeline, recipient, required content, and method of delivery. We use a spreadsheet with color-coded urgency levels. When a breach happens at 2 AM on a Friday, you do not want to be researching notification requirements from scratch.
Also worth noting: the FTC issued updated guidance in January 2026 clarifying that companies using third-party AI tools that process customer data may have notification obligations if the AI provider experiences a breach. If your customer data flows through an AI API for processing, your vendor agreement should include breach notification provisions with specific timelines.