Cybersecurity & Incident Response Counsel

When a Breach Happens, the Legal Response Matters as Much as the Technical One

Cybersecurity incidents don’t wait for convenient timing, and the legal obligations they trigger are immediate. State breach notification laws impose strict timelines. Contractual notification requirements in vendor and customer agreements may be even shorter. Regulatory inquiries can follow quickly. And every action taken — or not taken — in the first hours and days after a breach can affect the company’s legal exposure for years. John Montague serves as cybersecurity counsel to technology companies that need an attorney who understands both the regulatory framework and the technical realities of incident response. His technology transactions practice, built over fifteen years and rooted in work at Locke Lord LLP (now Troutman Pepper Locke), an AM Law 200 firm, gives him the foundation to advise on cybersecurity matters within the broader context of a company’s commercial relationships and risk profile.

From John Montague: Companies spend significant resources on cybersecurity prevention — and they should. But the ones that suffer the most after a breach are usually the ones that never developed an incident response plan. Having a plan that coordinates legal, technical, and communications responses before an incident occurs is the single most impactful thing a company can do to reduce the damage when something inevitably goes wrong.

How We Help

Montague Law’s cybersecurity practice combines proactive planning with responsive incident support. John Montague’s work includes developing incident response plans that coordinate legal, technical, PR, and executive decision-making during a cybersecurity event; advising on breach notification obligations under state laws, federal regulations, and contractual commitments; counseling companies during active incidents, including managing privilege considerations, coordinating with forensic investigators, and overseeing regulatory communications; reviewing and negotiating cybersecurity provisions in commercial agreements, including vendor security assessments, data processing agreements, and cyber insurance policies; advising on regulatory compliance for industry-specific cybersecurity frameworks including NIST, SOC 2, HIPAA security requirements, and PCI-DSS; and conducting cybersecurity due diligence in M&A transactions to identify security posture risks and prior incidents.

The Legal Landscape of Cybersecurity

Cybersecurity law in the United States is a patchwork of state, federal, and industry-specific requirements that continues to expand. All fifty states now have breach notification laws, each with different definitions of personal information, different notification timelines, and different requirements for what the notification must contain. Federal regulations layer additional requirements for specific industries — HIPAA for healthcare, GLBA for financial services, FERPA for education. And contractual obligations in customer and vendor agreements may impose cybersecurity standards and notification requirements that go beyond what any regulation requires.

For technology companies, cybersecurity compliance isn’t just an internal obligation — it’s a commercial requirement. Enterprise customers increasingly demand evidence of cybersecurity maturity (SOC 2 reports, penetration testing results, security questionnaire responses) as a condition of doing business. Investors examine cybersecurity practices during due diligence. And acquirers assess the target’s breach history and security posture as part of technology M&A.

John Montague’s integrated practice — spanning technology transactions, M&A, and venture capital — allows him to advise on cybersecurity as a business issue, not just a compliance exercise. A SaaS company preparing for a Series A needs cybersecurity practices that satisfy both regulatory requirements and investor expectations. A technology company preparing for sale needs a clean breach history and defensible security posture. John helps companies build cybersecurity programs that serve all of these objectives simultaneously.

Frequently Asked Questions

What are my legal obligations if my company experiences a data breach?

Your obligations depend on the type of data compromised, the jurisdictions involved, and your contractual commitments. Most states require notification to affected individuals within a specified timeframe (ranging from 30 to 90 days). Some states require notification to the state attorney general. Federal regulations may impose additional requirements depending on your industry. And your contracts with customers and vendors likely contain their own notification obligations. John Montague helps companies navigate this multi-layered notification landscape during active incidents.

What should an incident response plan include?

An effective incident response plan should define roles and responsibilities for the response team, establish communication protocols (internal and external), identify legal counsel and forensic investigation resources, outline containment and remediation procedures, detail notification workflows for regulators, customers, and affected individuals, address media and public communications, and include procedures for post-incident review and plan improvement.

How does cybersecurity affect M&A transactions?

Cybersecurity has become a standard component of technology M&A due diligence. Acquirers examine the target’s security infrastructure, breach history, compliance posture, and incident response capabilities. Material cybersecurity deficiencies can result in purchase price adjustments, enhanced indemnification for cyber-related claims, or specific remediation requirements as closing conditions. John Montague conducts cybersecurity due diligence as part of his integrated M&A practice.

Related Practice Areas: Technology Transactions | Data Privacy & Compliance | SaaS & Cloud Services

Need cybersecurity counsel? Call 904-234-5653 or schedule a consultation.