After a Breach, Size Matters For Better—And Worse—to Startups
No one wants to be breached, but for startups such a cyber attack can be tantamount to a death sentence. Still, being a young and nimble player in the cybersecurity game isn't entirely without its advantages.
October 03, 2019 at 11:30 AM
4 minute read
Being a startup isn't all daffodils and sunshine. Case in point: Door Dash, an on-demand food delivery service, announced last week it had been hit by a breach that impacted the data of approximately 4.9 million consumers.
While breaches aren't the exclusive to the dominion of the humble startup—here's looking at you, Marriott and Capital One—they can be especially devastating to a young company still has most of its capital tied up in product development.
That's why startups, and their attorneys, may have to run the risks of settling for a slightly lower bar when it comes to compliance.
Liz Harding, a shareholder at Polsinelli, thinks startups should be pursuing progress, not perfection.
"A big, publicly traded company, they really want to be as close as they can get to perfection in terms of compliance," Harding said. "The startup can't afford that. They don't want to have—and they can't afford to have, quite frankly—a written policy for every eventuality,"
The catch is that startups can't exactly afford to be breached either. Harding estimated that even small breach carries a price tag somewhere in the neighborhood of $40,000 to $50,000 after lawyer fees and the cost of notifications and forensics.
Absent cyber insurance, Harding thinks those expenditures could easily wipe out a startup. She's heard of some companies that have opted to take the risk of not providing notification in the aftermath of a breach, which isn't so much a strategy as it is a roll of the dice given the strict reporting parameters found in laws such as the EU's General Data Protection Regulation (GDPR).
"That can really come back to bite you," Harding said.
So with avoidance off the table as a viable strategy, startups and their law firms could be forced to work on the company's defense instead.
A good portion of that work begins with adequate cyber defenses. Mike Titens, a partner at Thompson & Knight, believes most startups are engaging the services of third-party providers to store their data rather than burning cash on the necessary hardware to do so onsite.
But even that decision comes with its share of risk, given that companies can still be held liable in the event the provider itself is breached.
"The startups will often find in their contracts with these cloud providers and so forth, very little protection," Titens said.
However, that's not to say that startups are at a total disadvantage when it comes to breaches and cybersecurity. For instance, a startup with a modestly-sized staff can actually have an advantage over bigger legacy companies who are trying to adapt to privacy regulations like the European Union's General Data Protection Regulation (GDPR) or the forthcoming California Consumer Privacy Act retroactively.
Dan Greene, an attorney with Beckage, pointed out that building an office culture that says yes to multifactor authentication and no to employees sending sensitive work materials to their personal email accounts is more manageable from the ground up.
"It's a lot easier to change the culture around multifactor authentication amongst ten folks in a new company than it is across an enterprise level multi-thousand employee firm," Greene said.
Still, breaches happen, and just how much those efforts will count with regulators once the dust settles varies from case to case.
While Titens does believe regulators take into account the size, state of development and cyber hygiene of a company that has been impacted by a breach, it's still not an enviable position to occupy.
"One of the challenges is that the cybersecurity will be judged after an incident has occurred. Looking at a company's planning in retrospect makes it easier to point fingers and say that the company missed something obvious and should have taken other steps," Titens said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Phila. Jury Awards $15M to Woman Who Slipped on Apartment Building Stairs
- 2Appellate Division Greenlights State Bar's Leadership Diversity Initiatives
- 3SEC’s Latest Enforcement Actions Fuel Demand for Big Law
- 4Sterlington Brings On Former Office Leader From Ashurst
- 5DOJ Takes on Largest NFT Scheme That Points to Larger Trend
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250