Being a startup isn't all daffodils and sunshine. Case in point: Door Dash, an on-demand food delivery service, announced last week it had been hit by a breach that impacted the data of approximately 4.9 million consumers.

While breaches aren't the exclusive to the dominion of the humble startup—here's looking at you, Marriott and Capital One—they can be especially devastating to a young company still has most of its capital tied up in product development.

That's why startups, and their attorneys, may have to run the risks of settling for a slightly lower bar when it comes to compliance.

Liz Harding, a shareholder at Polsinelli, thinks startups should be pursuing progress, not perfection.

"A big, publicly traded company, they really want to be as close as they can get to perfection in terms of compliance," Harding said. "The startup can't afford that. They don't want to have—and they can't afford to have, quite frankly—a written policy for every eventuality,"

The catch is that startups can't exactly afford to be breached either. Harding estimated that even small breach carries a price tag somewhere in the neighborhood of $40,000 to $50,000 after lawyer fees and the cost of notifications and forensics.

Absent cyber insurance, Harding thinks those expenditures could easily wipe out a startup. She's heard of some companies that have opted to take the risk of not providing notification in the aftermath of a breach, which isn't so much a strategy as it is a roll of the dice given the strict reporting parameters found in laws such as the EU's General Data Protection Regulation (GDPR).

"That can really come back to bite you," Harding said.

So with avoidance off the table as a viable strategy, startups and their law firms could be forced to work on the company's defense instead.

A good portion of that work begins with adequate cyber defenses. Mike Titens, a partner at Thompson & Knight, believes most startups are engaging the services of third-party providers to store their data rather than burning cash on the necessary hardware to do so onsite.

But even that decision comes with its share of risk, given that companies can still be held liable in the event the provider itself is breached.

"The startups will often find in their contracts with these cloud providers and so forth, very little protection," Titens said.

However, that's not to say that startups are at a total disadvantage when it comes to breaches and cybersecurity. For instance, a startup with a modestly-sized staff can actually have an advantage over bigger legacy companies who are trying to adapt to privacy regulations like the European Union's General Data Protection Regulation (GDPR) or the forthcoming California Consumer Privacy Act retroactively.

Dan Greene, an attorney with Beckage, pointed out that building an office culture that says yes to multifactor authentication and no to employees sending sensitive work materials to their personal email accounts is more manageable from the ground up.

"It's a lot easier to change the culture around multifactor authentication amongst ten folks in a new company than it is across an enterprise level multi-thousand employee firm," Greene said.

Still, breaches happen, and just how much those efforts will count with regulators once the dust settles varies from case to case.

While Titens does believe regulators take into account the size, state of development and cyber hygiene of a company that has been impacted by a breach, it's still not an enviable position to occupy.

"One of the challenges is that the cybersecurity will be judged after an incident has occurred. Looking at a company's planning in retrospect makes it easier to point fingers and say that the company missed something obvious and should have taken other steps," Titens said.