Cybersecurity & Incident Response

What "reasonable security" means and what happens when things go wrong

Overview ·Federal ·International

Overview

Every company that holds data will eventually face a security incident. The legal question isn't just how to prevent one — it's what you're required to do before one happens and what you must do if one occurs. Before: most states have some form of reasonable security requirement, and federal sector-specific laws (HIPAA, GLBA, FTC Act) impose security standards on covered companies. The NIST Cybersecurity Framework is the closest thing to a universal standard for what "reasonable" looks like. After: breach notification laws in all 50 states require you to notify affected individuals (and in some cases regulators) when a breach occurs. The timelines, triggers, and required content vary by state.

The more complex cybersecurity picture applies to companies touching federal systems or defense contracts. FedRAMP authorization is required to sell cloud services to federal agencies. The DoD's CMMC program — now effective as of November 2025 — requires defense contractors to obtain third-party cybersecurity certification at one of three levels. These requirements are significant compliance undertakings but also significant market qualifications — a FedRAMP or CMMC certification opens government markets that are otherwise closed.

Federal Laws

Computer Fraud and Abuse Act

The federal anti-hacking statute. Criminalizes unauthorized access to computer systems and creates a civil cause of action companies use against former employees and competitors who misuse credentials or exceed authorized access.

Cyber Incident Reporting for Critical Infrastructure Act

Requires critical infrastructure entities to report substantial cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. CISA is developing final implementing rules. Applies to entities in the 16 critical infrastructure sectors — including IT, communications, financial services, and energy. Tech companies operating critical infrastructure or providing services to those that do should monitor CISA's rulemaking.

Cybersecurity Maturity Model Certification

DoD-specific cybersecurity certification requirement for defense contractors and subcontractors. Effective November 2025. Three levels — Level 1 (basic), Level 2 (advanced, requires third-party assessment for most), Level 3 (expert). Any company in the defense industrial base — including software vendors, IT service providers, and cloud providers touching DoD systems — must understand which CMMC level applies. Non-compliance means losing DoD contracts.

Electronic Communications Privacy Act

Governs how the government and private parties can access electronic communications and stored data, covering real-time interception, stored records, and metadata collection. It is the primary federal statute protecting the privacy of digital communications. Applies to any entity that intercepts, accesses, or stores electronic communications.

Federal Risk and Authorization Management Program

A government-wide program establishing security assessment standards for cloud services used by federal agencies. Not a law but effectively mandatory if you want to sell cloud services to the federal government. Authorization is expensive and time-consuming but creates a significant competitive moat — relatively few cloud providers have full authorization. Managed by GSA. Authorization levels: Low, Moderate, High corresponding to sensitivity of data processed.

Gramm-Leach-Bliley Act

Requires financial institutions to explain their information-sharing practices and protect sensitive customer data. The Safeguards Rule mandates specific administrative, technical, and physical data security measures.

Health Information Technology for Economic and Clinical Health Act

Strengthened HIPAA enforcement and extended HIPAA obligations directly to business associates. Introduced tiered civil penalties and required HHS to conduct periodic audits of covered entities and business associates. Relevant to any tech company that is or may become a HIPAA business associate.

Health Insurance Portability and Accountability Act

Any tech company building health apps, handling patient records, operating as a business associate of a covered entity, or processing protected health information must understand HIPAA. The Privacy Rule, Security Rule, and Breach Notification Rule each impose distinct obligations. HIPAA's definition of "covered entity" and "business associate" is broader than most tech founders assume — a SaaS platform that processes health data on behalf of a hospital is a business associate and must have a signed BAA. HHS Office for Civil Rights actively enforces, particularly against tech companies following data breaches.

NIST Cybersecurity Framework 2.0

A voluntary framework — not a law — but practically functions as a de facto compliance standard. Referenced in state breach notification laws (Tennessee), required or strongly encouraged for federal contractors, and used by courts and regulators to assess reasonableness of cybersecurity programs. CSF 2.0 released February 2024 adds a new "Govern" function to the original five (Identify, Protect, Detect, Respond, Recover). Any tech company should understand this framework before claiming to have "reasonable" security.

Browse by Country

Australia Israel Singapore South Korea United Kingdom

How Jurisdictions Differ

Breach notification laws vary primarily on three dimensions: what triggers notification (what counts as a breach, what data types are covered), how quickly you must notify (some states require notification "in the most expedient time possible," others give specific timelines ranging from 30 to 90 days), and who you must notify (affected individuals only vs. also state AG, state regulator, or consumer reporting agencies). California and New York have the most demanding requirements. If you have customers in multiple states, your incident response plan needs to accommodate the most restrictive state's requirements.

Official Resources

Related Articles

More articles coming soon.