Data Breach Response Checklist

Critical actions for the first 72 hours after discovering a data breach. Follow this proven framework used during 300+ breach responses.

Last updated: November 23, 2025

Start Checklist Need Expert Help?

Quick Answer

In the first 72 hours after a data breach: Contain by isolating affected systems (0-4 hours), Investigate by engaging forensic experts and assessing scope (4-24 hours), Communicate by notifying regulators and preparing customer communications (24-48 hours), and Remediate by patching vulnerabilities and beginning recovery (48-72 hours). Do not delete any files or turn off systems before forensic analysis.

0-4 hrs

Contain the Breach

Goal: Stop the breach from spreading while preserving evidence for investigation.

Critical: Do NOT Delete Anything

Do not delete files, clean systems, or turn off affected computers. These actions destroy critical forensic evidence needed for investigation, legal proceedings, and insurance claims. Isolate, but don't delete.

Containment Checklist

1

Isolate Affected Systems

Disconnect compromised systems from the network to prevent lateral movement. Do NOT turn them off.

  • • Disable network access (pull network cable or disable adapters)
  • • Keep systems powered on to preserve volatile memory
  • • Document which systems were isolated and when
2

Activate Incident Response Team

Notify your designated incident response team or establish one immediately.

  • • IT/Security Lead (technical response)
  • • Legal Counsel (regulatory obligations)
  • • Executive Leadership (C-level decision maker)
  • • PR/Communications (if customer-facing)
3

Preserve All Logs and Evidence

Collect and secure all available logs before they're overwritten or deleted.

  • • System logs, application logs, network logs
  • • Firewall and intrusion detection logs
  • • Email server logs and authentication logs
  • • Store logs in secure, separate location
4

Document Everything

Create detailed timeline and documentation from minute zero.

  • • When breach was discovered and by whom
  • • Initial symptoms or indicators
  • • Contain actions taken with timestamps
  • • People notified and their responses
5

Notify Executive Leadership

Inform C-level executives and board (if applicable) immediately.

  • • CEO, CISO, CTO, General Counsel
  • • Board of Directors (for severe breaches)
  • • Provide initial assessment and next steps
  • • Set expectations for ongoing updates
4-24 hrs

Investigate the Breach

Goal: Understand the scope, root cause, and data affected to determine notification obligations.

Investigation Checklist

1

Engage Forensic Investigators

Hire external IR firm if you lack in-house expertise. Most breaches require external help.

  • • Contact 2-3 IR firms for immediate response
  • • Verify 24-hour response capability
  • • Ensure attorney-client privilege coverage
  • Browse vetted IR firms →
2

Assess Breach Scope

Determine what was accessed, when, and how.

  • • Which systems were compromised?
  • • What data types were accessed? (PII, PHI, financial, credentials)
  • • How many individuals affected (estimate)?
  • • Entry point and attack vector
  • • Timeline: When did breach start vs. when discovered?
3

Notify Legal Counsel

External legal counsel provides attorney-client privilege protection for investigation.

  • • Engage breach response law firm
  • • Structure investigation under privilege
  • • Determine regulatory notification obligations
  • • Assess potential litigation exposure
4

Determine Notification Obligations

Work with legal to understand regulatory deadlines.

  • • GDPR: 72 hours to notify supervisory authority
  • • HIPAA: 60 days (or immediately if 500+ affected)
  • • CCPA: Without unreasonable delay
  • • State laws: Varies by state and data type
  • View complete notification guide →
5

Begin Evidence Collection

Systematic forensic data collection by qualified investigators.

  • • Memory dumps from affected systems
  • • Disk images for analysis
  • • Network packet captures
  • • Malware samples (in secure environment)
24-48 hrs

Communicate to Stakeholders

Goal: Meet regulatory notification deadlines and prepare stakeholder communications.

Communication Checklist

1

File Regulatory Notifications

Meet mandatory notification deadlines to avoid additional penalties.

  • • GDPR: Notify data protection authority within 72 hours
  • • HIPAA: HHS notification (timeline depends on # affected)
  • • State AGs: File as required by state breach laws
  • • Credit reporting agencies (if applicable)
2

Prepare Customer Notification

Draft clear, compliant customer notification letters.

  • • What data was affected
  • • When breach occurred and was discovered
  • • Steps being taken to address
  • • Resources for affected individuals (credit monitoring, hotline)
  • • Have legal review before sending
3

Draft Internal Communications

Keep employees informed without creating panic or liability.

  • • Employee notification (facts only)
  • • Updated security protocols
  • • Contact person for questions
  • • Remind of confidentiality obligations
4

Engage PR Firm (if Public-Facing)

Public breaches require professional crisis communications.

  • • Contact breach response PR specialists
  • • Prepare media statement
  • • Monitor social media and news coverage
  • • Plan stakeholder briefings
5

Set Up Breach Hotline/Support

Provide support channel for affected individuals.

  • • Dedicated phone number or email
  • • FAQ document for support staff
  • • Credit monitoring service (if offering)
  • • Track and respond to inquiries
48-72 hrs

Remediate and Begin Recovery

Goal: Close security gaps and begin transition to recovery phase.

Remediation Checklist

1

Patch Vulnerabilities

Fix the security weakness that enabled the breach.

  • • Apply security patches and updates
  • • Fix misconfigurations
  • • Remove unauthorized access points
  • • Test patches in isolated environment first
2

Reset All Credentials

Assume all credentials are compromised and reset them.

  • • Force password resets for all users
  • • Rotate API keys and service accounts
  • • Review and revoke unnecessary access
  • • Implement multi-factor authentication (MFA)
3

Deploy Enhanced Monitoring

Increase visibility to detect recurrence or ongoing activity.

  • • Enhanced logging and alerting
  • • EDR/SIEM tuning for IoCs
  • • Network traffic monitoring
  • • Threat hunting for persistence mechanisms
4

Schedule Post-Incident Review

Plan retrospective to identify lessons learned.

  • • Schedule within 2 weeks of containment
  • • Include all response team members
  • • Document what worked vs. what didn't
  • • Create action plan for improvements
5

Document Lessons Learned

Capture insights while details are fresh.

  • • Root cause analysis
  • • Response timeline and effectiveness
  • • Communication successes and failures
  • • Technology and process gaps
  • See full recovery guide →

Frequently Asked Questions

What should I do first after discovering a data breach?

In the first 4 hours: 1) Isolate affected systems from the network (do not turn off or delete files), 2) Preserve all logs and evidence, 3) Activate your incident response team, 4) Contact legal counsel, 5) Engage an external IR firm if you lack internal expertise. Do not attempt to clean or remediate systems before forensic analysis.

Should I shut down affected systems during a breach?

No, do not shut down or turn off affected systems. Isolate them from the network to prevent further spread, but keep them running to preserve volatile memory that contains critical forensic evidence. Shutting down systems can destroy evidence needed for investigation and legal proceedings.

When do I need to notify customers of a breach?

Notification timelines vary by regulation: GDPR requires notification within 72 hours, HIPAA within 60 days (or immediately if 500+ affected), CCPA "without unreasonable delay," and various state laws have specific requirements. Consult legal counsel immediately to determine your specific obligations based on data types and jurisdictions. View complete notification timeline guide.

How long does a typical breach response take?

The initial response phase typically takes 72 hours for containment, investigation, and initial notifications. Full recovery and remediation can take 6-12 months. Companies with incident response plans and external IR firms can reduce response time by 54% and save an average of $2.66 million (IBM 2024).

Do I need to hire an external incident response firm?

You should hire external IR firms if: you have limited internal expertise, the breach is severe or complex, you face regulatory scrutiny, or there's litigation risk. External firms provide forensic expertise, legal guidance, and 24/7 response capabilities that most internal teams lack. Browse vetted IR firms.

Related Resources

🚨

72-Hour Emergency Guide

Complete emergency response guide with detailed procedures and decision frameworks.

Read Guide → 📋

Response Plan Template

Download customizable incident response plan with role assignments and procedures.

Download Free → 👥

Response Team Structure

Build an effective breach response team with clear roles and responsibilities.

Read Guide →

Need Expert Help with Your Breach Response?

Connect with vetted incident response firms that can begin investigating within 24 hours. All firms offer emergency response capabilities and industry-specific expertise.

Browse IR Firms Directory Active Breach? Get Help Now

Related Resources

🔒
Ransomware Guide
Negotiation & payment decision matrix
 📋
Notification Rules
50-state breach notification matrix
Need Help? Contact IR Firms