Cybersecurity and breaches: what to do if your Texas startup suffers a data breach

Your Name ·

1. Execute your cybersecurity protection plan

The problem is that lots of startups don’t already have a plan.

That’s completely foolish.

You need to already have a plan in place before any type of breach or cybersecurity “event.” There are guidelines and frameworks out there that help you do this. The goal is for your startup to:

identify: develop organizational understanding to manage cybersecurity risk

protect: develop safeguards

detect: implement activities to identify occurrence of a cybersecurity event

respond: create appropriate activities to take action regarding a detected cybersecurity event

recover: restore any capabilities that were impaired due to the cybersecurity event

Yeah, I know that sounds like a bunch of fluff, but get used to it. It’s actually the proper way to think about this kind of thing.

The National Institute of Standards and Technology provides more guidance on this.

2. Notify individuals according to Texas rules

The Texas Business and Commerce Code in section 521 says that a business has a duty to protect sensitive information and that a business has to give notification following a breach of security of computerized data. In other words you have a legal responsibility to take action regarding a breach. Just can’t sweep it under the rug and hope no one notices.

3. Notify individuals of other states

If you’re running operations in other states, then you will need to comply with their security breach laws as well.

See here for a full list of these breach notification laws.

4. Follow GDPR breach rules

Under the GDPR breach and notification rules if you’re the processor then you need to notify the controller. If you’re the controller, then notify the supervisory authority in less than 72 hours if there's a breach and if there’s likely to be a risk to the rights and freedoms of natural persons. If there’s a high risk to the data subject and in certain conditions, then the controller should communicate the data breach to the data subject in clear and plain language.

If you don’t know what any of this means then read my article on GDPR.

5. Deal with your cybersecurity insurance company/other relevant parties

Depending on how things go you may need to talk to your startup’s cybersecurity insurance company. Use the article linked on how to think about cybersecurity insurance issues. Be careful about not blowing the attorney-client privilege when dealing with your insurance company.