Do I have to tell my users if my app got breached?

Updated
Short answer

In most cases, yes. In the US, 50 states + DC have breach-notification laws. In the EU, GDPR requires notification within 72 hours. Exceptions are narrow — typically only if the data was fully encrypted and the key wasn't stolen. Hiding a breach is usually a separate legal violation on top of the breach itself. Notify your users, fast, with specifics.

The default answer is yes, and the cost of getting this wrong is bigger than the breach itself. Quick geography:

**United States:** Every state has a breach-notification law. Common requirements: - Notify affected users without unreasonable delay (most states: 30-90 days; some: ASAP) - Notify the state AG if above a threshold (often 500 affected users in that state) - Specific content: what happened, what data, what you're doing about it, what the user can do

**EU / UK (GDPR):** - Notify the Data Protection Authority within 72 hours of awareness - Notify affected users without undue delay if there is a high risk to their rights and freedoms - Penalty for missing this: up to 2% of global revenue, separate from the breach penalty

**Canada (PIPEDA), Australia (Privacy Act), most of LatAm:** similar requirements, specifics vary.

**When you don't have to notify:** - Data was encrypted at rest with a key the attacker didn't steal, AND no indication the key was accessed. This is narrow; 'we use Supabase and it encrypts at rest' doesn't qualify if the attacker got your service-role key. - The breach was hypothetical (scan showed exposure but no data actually leaked). Even here, best-practice is still to notify.

**What happens if you don't notify and get caught:** - The FTC, state AGs, and foreign regulators have extracted millions from founders who tried to hide breaches - 'Failure to notify' is often prosecuted as separate offense from the underlying breach - Criminal charges are rare for startups but happen for executives who actively covered up (see: Uber CSO Joe Sullivan)

**The notification email, done right:** specific, honest, useful. State what happened, when, which data, what you've done, what the user should do. Your lawyer will review before it goes out.

Securie's scan (launching this year) will give you a documented pre-launch security snapshot that (a) reduces your chance of a breach in the first place and (b) gives you evidence of reasonable care if one happens anyway. Join the list now so it runs in week 1 of early access.

People also ask

Can I get sued for a data breach?
Yes. Class actions are common in the US — especially in California (CCPA private right of action) and for healthcare (HI
What do I do after a data breach at my startup?
In the first hour: confirm the breach, contain it (rotate keys, pull affected services), document. In the first day: not
Can I get sued for security bugs in AI-written code?
Yes. You're legally responsible for what your app does to users, regardless of who or what wrote the code. 'AI wrote it'