Nobody plans for a data breach. It's one of those things that always happens to someone else—until it doesn't. When it happens to you, the first few hours are critical. How you respond can mean the difference between a manageable incident and a catastrophic one that damages your business, your reputation, and your customers.
I've walked businesses through breach responses. The ones that fare best aren't necessarily the ones with the biggest security budgets. They're the ones who had a plan, stayed calm, and acted decisively. The ones who panicked, tried to cover things up, or delayed notification almost always ended up worse off.
What Counts as a Data Breach?
A data breach isn't just hackers stealing your database. Legally, it's any unauthorized access to, acquisition of, or disclosure of personal information. This includes:
- Hackers accessing your systems
- Ransomware that encrypts customer data
- An employee accidentally emailing sensitive data to the wrong person
- A lost or stolen laptop containing unencrypted customer information
- A misconfigured database left exposed on the internet
- Unauthorized employee access to records they shouldn't see
The key is unauthorized access to personal information. Even if no data was actually stolen or misused, the unauthorized access itself can constitute a breach requiring response.
Immediate Response: The First 24 Hours
Contain the Incident
First priority: stop the bleeding. If systems are compromised, take them offline. If credentials are stolen, revoke them. If there's malware, isolate affected systems.
This step requires careful judgment. You want to stop ongoing damage without destroying evidence. Don't wipe systems or make changes that eliminate forensic trails—you'll need those later for investigation and potentially for law enforcement.
Assemble Your Team
Get the right people together immediately. Depending on your organization, this might include:
- IT/Security personnel
- Legal counsel (internal or external)
- Senior management
- Communications/PR
- Customer service leadership
If you don't have internal expertise for incident response, this is when you call in specialists. Forensics firms, breach response attorneys, and PR consultants who specialize in data breaches can be invaluable. Yes, they're expensive. But the cost of mishandling a breach is far higher.
Preserve Evidence
Document everything. Take forensic images of affected systems. Preserve logs. Screenshot what you're seeing. This evidence is crucial for understanding what happened, for legal requirements, and potentially for law enforcement or insurance claims.
Initial Assessment
Start gathering facts, even if preliminary:
- When did the breach occur? When was it discovered?
- What systems are affected?
- What types of personal information were involved?
- How many individuals might be affected?
- Is the breach ongoing or has it been contained?
You won't have all the answers immediately, but early assessment guides the response.
Investigation and Analysis
Once the immediate crisis is contained, dig deeper:
Forensic Investigation
A thorough forensic analysis determines exactly what happened, how attackers got in (or how the incident occurred), what data was accessed, and whether attackers are still present. This can take days or weeks depending on complexity.
Don't rush this phase. Incomplete investigation leads to incorrect conclusions about what data was affected, which leads to inadequate (or overly broad) notifications.
Scope Assessment
Determine exactly whose data was compromised and what types of information were involved. The notification requirements differ significantly between:
- Names and email addresses only
- Names plus financial information (credit cards, bank accounts)
- Names plus Social Security numbers
- Healthcare information
- Credentials (usernames and passwords)
More sensitive data typically triggers more stringent notification requirements and potentially greater harm to affected individuals.
Risk Assessment
Evaluate the likelihood of harm to affected individuals. Were passwords hashed and salted, or stored in plain text? Was financial data encrypted? Were the attackers opportunistic (grabbed whatever they could) or targeted (looking for specific information)?
This assessment influences both notification decisions and what remediation you offer.
Legal Requirements and Notification
Know Your Obligations
Breach notification requirements vary by jurisdiction and data type:
US State Laws: All 50 states have breach notification laws, each with slightly different requirements for timing, content, and what triggers notification. If you have customers in multiple states, you may need to comply with multiple laws.
GDPR: Breaches affecting EU residents must be reported to the supervisory authority within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms. Affected individuals must be notified if there's high risk.
HIPAA: Healthcare data breaches have specific notification requirements to individuals, HHS, and potentially the media.
Sector-Specific Rules: Financial services, government contractors, and other regulated industries have additional requirements.
Timing
Most laws require notification "without unreasonable delay" or within a specific timeframe (often 30-60 days from discovery). GDPR's 72-hour requirement for authority notification is among the strictest.
Note that investigation time is generally reasonable—you don't have to notify before you understand what happened. But you can't delay indefinitely while investigating. If your investigation extends the timeline, document why.
What to Include in Notifications
Breach notifications typically must include:
- Description of the incident
- Types of information involved
- Steps individuals can take to protect themselves
- What you're doing in response
- Contact information for questions
The tone matters. Notifications that seem evasive or minimize the incident often generate worse reactions than straightforward, honest communications.
Who to Notify
Depending on circumstances and applicable laws:
- Affected individuals
- State attorneys general
- Data protection authorities (under GDPR)
- Sector regulators (for healthcare, financial services, etc.)
- Law enforcement (particularly for large breaches or ongoing threats)
- Credit bureaus (for large breaches involving financial data)
Remediation and Support
For Your Systems
Fix the vulnerability that led to the breach. If credentials were compromised, force password resets. If systems were infected, clean and restore them. Document all changes for your records.
For Affected Individuals
Consider what support to offer:
Credit monitoring: For breaches involving Social Security numbers or financial data, offering free credit monitoring has become standard practice. Typically 12-24 months of coverage.
Identity theft protection: More comprehensive than credit monitoring, these services can include dark web monitoring, identity restoration assistance, and insurance against identity theft losses.
Dedicated support: Set up a call center or dedicated email address for affected individuals to ask questions and report problems. Make sure the people staffing it are trained and have good information.
Clear guidance: Provide specific instructions on steps individuals can take to protect themselves—freezing credit, monitoring accounts, changing passwords for other services if credentials were reused.
Managing Communications
Internal Communications
Employees need to know what's happening and what to say (or not say) when asked. Clear internal communication prevents rumors and ensures consistent messaging.
Customer Communications
Beyond the required notifications, consider proactive communication. Blog posts, FAQs, and social media updates can address widespread concerns before they become bigger issues.
Media Relations
Large breaches attract press attention. Have a prepared statement and designate a spokesperson. Be honest about what happened without speculating or providing unnecessary detail that could be legally problematic.
Regulator Communications
If regulators reach out, respond promptly and professionally. Cooperation typically goes better than stonewalling. Have legal counsel involved in all regulatory communications.
Post-Breach Review
After the immediate crisis passes, take time for a thorough review:
Root cause analysis: What exactly went wrong? Technical failure? Human error? Inadequate controls? External attack exploiting specific vulnerability?
Response evaluation: What worked well in your response? What didn't? How could you respond better next time?
Control improvements: What changes will prevent similar incidents? What detection improvements would catch them faster?
Documentation: Document everything about the incident and response. You may need this for regulatory inquiries, litigation, insurance claims, or future reference.
Building Resilience
The best time to prepare for a breach is before it happens:
- Have an incident response plan documented and tested
- Know who your key contacts are—forensics firm, breach attorneys, PR support
- Maintain good data inventories so you know what data you have where
- Practice breach scenarios periodically
- Consider cyber insurance (and understand what it covers)
No security is perfect. The question isn't whether you'll ever face a breach, but how prepared you'll be when it happens. The businesses that handle breaches well aren't lucky—they're prepared.