This is more of a security question, but thought I would ask here (and please be kind). I joined a cloud software startup as solo counsel. I’ve been asked to review a customer notice about a vulnerability in our product. To our knowledge it has not been exploited. Contractually, we only commit to notifying customers of confirmed breaches involving customer data. From a legal perspective what should I review for in these vulnerability notices? When do I need to involve outside counsel, if at all?

like
Posting as :
works at
You are currently posting as works at

You’re notifying a customer of an unexploited vulnerability in your own software? My question would be, why? Is there a business desire to do so, and if so, why? If not, maybe you counsel against notifying? Is there some step the customer can take to protect themselves? Are you fixing the vulnerability? These would be questions a customer would ask.

like

If it’s the scenario D1 described - let them know you’ll look into it. Go meet with your product and engineering folks, ask them if they can identify/replicate it, if so, have them patch it and confirm the vulnerability is no longer present. After that let customer know and if you want to be extra nice, notify all customers that this was brought to your attention and that it has been fixed.

If you’re sending notice to your customers, same questions as A1.

Don’t really see a need for outside counsel unless there’s an actual breach

like

Yep d1 is right.

A customer is sending you notice that they discovered a vulnerability in your product?

Agree, why? I can see a customer trust angle/transparency - but tread carefully on how you word it.

like

Related Posts

People mentioning their genders first, as if this the chat section of Omegle. 😂

like

How long does it take for a lateral hire to be promoted from Associate to Manager at Kearney if the performance is top quartile? Is 1 year a too aggressive goal?

like

What’s the maximum anyone got out of the airline for damage to a new checked luggage bag

American Airline q - if I have Gold status and an American Airlines credit card - does that mean I get two free checked bags or one

like

Best Hyatt in Hawaii (ideally Kona or Maui)?

like

Have you ever tried Hopia before? Hopia is a Filipino or Indonesian moon cake filled with sweet yellow or black mung bean. My favorite is the yellow. If you haven’t tried it, it’s good!

Post Photo
like

Small Shops and Teams:
What CRM do you use?
Don't have one? Where would you go for recommendations- reliable blogs or other knowledge hubs for small team tools?
Thanks

like

Any ideas for a funny/cute white elephant/secret Santa gift for my finance department xmas lunch party?? I have a cricut so I was thinking about making a funny sign you could hang on your desk or a coffee mug with a cute or funny saying about accounting ? Too lame ? Idk it’s my first Christmas at this company any ideas welcome

like

I got an offer from LTI and also got counter offer. When I told HR about it, he is screaming that we will block you if tou won’t join. Do LTI block if I won’t join them after getting offer? Please help.

likehelpful

Hi Guys,

I have an OL from LTI with a CTC-20 Lpa..As my mother had brain surgery, i need to be with her. i have asked HR to provide WFH. Does LTI support in these kinds of cases?? I have also asked HR to set up a call with the Project Manager.

Comments pls ..

like

Daily Dordle 0146 X&2/7
⬜⬜⬜⬜🟨 🟩⬜🟨⬜🟨
⬜🟨⬜⬜⬜ 🟩🟩🟩🟩🟩
🟩⬜⬜⬜🟨 ⬛⬛⬛⬛⬛
🟩🟨🟨⬜⬜ ⬛⬛⬛⬛⬛
🟩⬜⬜🟨🟨 ⬛⬛⬛⬛⬛
🟩⬜🟨⬜🟨 ⬛⬛⬛⬛⬛
🟩⬜🟩🟩🟩 ⬛⬛⬛⬛⬛
Pleased with the right side - bummed about the left. 🤷🏼‍♀️

like
funny

Is GME still going to the moon?

funnylike

Is Havas Health and You different from Havas Life? What are the main differences, culturally and business-wide?

like

How has dating been this academic year at your school? Or is everyone too focused on recruiting and classes

likefunny

What is the average salary of Business Unit Controller for P&l controller team supporting the treasury capital market?

like

Accenture UBS work environment any idea ???

like

Additional Posts in Privacy Law

Hello, MSL grad student here, looking for externships 🙏

Has anyone been successful negotiating a “breach notification costs” provision in contracts with vendors? What are some good args to include it? I feel like vendors generally flat out say “no”, but I have seen some contracts where vendors were willing to include it and I’m wondering how that happened 😁

like

Can we talk about privacy vendors? We are looking for a platform to handle data inventory and/or data discovery, as well as automating the privacy impact assessment process. We already have vendors for DSARs and cookies. Do most people consolidate all these functions to one platform or use multiple? Anyone willing to share vendors they have had good or bad experiences with?

like

Low billable, low pressure work in privacy law? Slowly realizing that as my boys get older, the money isn’t worth what I’m missing out on. Currently a tech litigation associate with lots of hearing, depo and trial experience (I’ve appeared on my own at hearings/depos) at a well respected firm. I have limited privacy experience despite being hired for that reason… Have my CIPM and CIPP/US /E and /C. Remote preferred; hubs is pilot with cool intl transfer opportunities. Money isn’t issue.

funnylike

I feel like a mega nerd saying this but I just got staffed on my first data breach response and I'm having so much fun! 🥸😅

likeuplifting

Can anyone share a salary range for a non-attorney with a JD and 1 YOE handling incident response and contract negotiations?

like

How can I stop data brokers from selling my information to political campaigns & other Ad compaigns? I don't live in California so CCPA does not apply to me..

like

Can creditors go after my US assets if I file for bankruptcy in a different country? Not sure if this is based on US law or that country's law (Spain)

like

What certifications should I get if I’m looking to go into cyber like data breach matters?

like

For anyone who has the CIPP/US certification, how long did you study for the exam?

like

Do law firms ever cover the cost of the CIPP/US certificate?

like

Anyone have any CIPP/US practice questions besides the 30 from the IAPP?

like

Best law firms in NYC for privacy law, especially if you’re a judicial law clerk with no experience but studying for the CIPP/US?

like

So as a 30ish yo with a government/PE/tech background and CIPM/CIPP… I’m finding privacy work is just much easier and interesting than other kinds, but still pays plenty well.

Is it too late/inadvisable to go to law school to specifically aim for privacy work?

I just find some firms are unwilling to entertain the idea that anyone but a lawyer has anything relevant to contribute in this space…

like

Is it normal for a California employer to include a very detailed notice in the employee handbook about employee monitoring practices and the company’s right to search your stuff? Or do I need to look for a new job immediately….. 🚩

like

Firms hiring in Texas, Iowa or remote? Junior associate with CIPP (US +E), CIPM, and a post-grad fellowship in cybersecurity.

like

Advice needed!! Have 8+ years of compliance/legal/in house experience (not privacy law except HIPAA). I really want a Privacy Counsel role so I took and passed the CIPP/US and CIPM exams this past year. I’ve been offered an Associate Director job at PwC. Is this a good stepping stone to a Privacy Counsel role? How long should I expect to work at PwC before I could apply to Privacy Counsel roles??

like

Hi all! I’m inclined on taking up the CIPM training and certification exam. I’m already a certified Data Protection Officer in the Philippines. I intend on skipping CIPP as it applies to the US and EU.

How difficult was the exam? Can you share your experience studying for the CIPM exam? Is it advisable to skip CIPP?

Many thanks in advance.

like
like

Looking for referrals to privacy practice at firms - not recruiters, associates only please. I am a senior corporate privacy associate with experience in counseling, compliance and regulatory advice. Experience with clients of all sizes and risk tolerances - start ups to global companies. No interest in firms that pay under market (no offense). TIA

like

New to Fishbowl?

Download the Fishbowl app to
unlock all discussions on Fishbowl.
That was just a preview…
Sign Up to see all discussions
  • Discover what it’s like to work at companies from real professionals
  • Get candid advice from people in your field in a safe space
  • Chat and network with other professionals in your field
Sign up in seconds to unlock all discussions on Fishbowl.

Already a user?
Login here

Share

Embed this post

Copy and paste embed code on your site

Preview

Download the
Fishbowl app

See what’s happening in your industry
from the palm of your hand.

A phone with Fishbowl app

Scan your QR code to download
Fishbowl app on your mobile

Download app

Sign up for free to view this conversation on Fishbowl

By continuing you agree to Terms of Use and Privacy Policy

Already have an account? Log in

Sign up for free to continue using Fishbowl

By continuing you agree to Terms of Use(New) and Privacy Policy(New)
Messaging rates may apply

Already have an account? Log in

For account settings, visit Fishbowl on Desktop Browser or

General

Legal