Data Breach
Emergency Response
Stop. Breathe. Follow this sequence.
The first 72 hours are critical—every action you take now affects your breach outcome.
Get Emergency Help Now
We'll connect you with incident response specialists within 2 hours.
Critical: Do NOT
- • Delete any files or logs (destroys evidence)
- • Turn off affected systems before forensic imaging (loses volatile memory)
- • Publicly disclose before consulting legal counsel
- • Pay ransom without expert consultation
- • Attempt to "clean up" before investigation
What Should You Do in the First 72 Hours of a Data Breach?
In the first 72 hours, execute four phases in sequence: contain the breach by isolating affected systems (hours 0–4), investigate scope with forensic experts (4–24), communicate with regulators and customers (24–48), and begin remediation (48–72). Every delayed action increases cost and legal exposure.
CONTAIN
Containment means isolating affected systems from the network without powering them off, which would destroy volatile memory needed for forensics. Every action must be documented with precise timestamps to support legal proceedings and insurance claims.
Disconnect network cables. Do NOT power off. Isolate but preserve.
Firewall, server, application, authentication logs. They may auto-rotate.
IT Lead, CISO, Legal Counsel, CEO/Executive, Communications.
Who discovered it, when, what was observed, actions taken. Be precise.
Lock server rooms. Restrict access. Preserve chain of custody.
INVESTIGATE
Investigation determines which systems and data were accessed, how many individuals are affected, and which regulatory deadlines apply. Engage external forensic investigators and notify legal counsel immediately—this conversation establishes attorney-client privilege over the investigation.
Professional forensic analysis. Objective investigation. Expert testimony if needed.
Establishes attorney-client privilege. Critical for litigation protection.
Which systems? What data types (PII, PHI, financial)? How many records? Entry point?
GDPR: 72 hours. HIPAA: 60 days. State laws vary. Check all applicable jurisdictions.
Notify carrier within required timeframe. Understand coverage limits and requirements.
COMMUNICATE
GDPR requires notifying your supervisory authority within 72 hours of discovery—a clock that started at hour zero. Use this window to file regulatory notifications, draft customer letters reviewed by legal counsel, and prepare internal communications for employees.
GDPR: 72-hour deadline. File with supervisory authority. Document the process.
Clear, factual, actionable. What happened, what data, what they should do.
Employee awareness. What they can/cannot say. Point of contact for questions.
For public-facing breaches. Media training. Statement preparation.
Dedicated hotline. FAQ page. Credit monitoring vendor (if offering).
REMEDIATE
Remediation patches the specific vulnerability that enabled entry, resets all potentially compromised credentials, and deploys enhanced monitoring to detect reinfection. Document every action—regulators and insurers will request this record.
Apply security patches. Update outdated software. Close attack vector.
User passwords. Service accounts. API keys. Admin credentials. Force resets.
Increased logging. Alert thresholds. Watch for reinfection or lateral movement.
What happened? What worked? What failed? Document lessons learned.
Incorporate lessons. Update contacts. Improve procedures.
Breach Response: Frequently Asked Questions
What is the first thing I should do during a data breach?
Isolate affected systems immediately to prevent the spread of the attack, but do NOT turn them off. Turning off systems can destroy volatile memory which is critical for forensic investigation. Disconnect them from the network instead.
Should I pay the ransom?
The FBI and most security experts advise against paying ransoms, as it does not guarantee data recovery and funds criminal activity. However, this is a business decision. Consult with legal counsel and a professional ransomware negotiator before making any decisions.
When do I need to notify customers?
Notification timelines vary by jurisdiction. GDPR requires notification within 72 hours. HIPAA requires notification within 60 days. State laws vary. Consult legal counsel immediately to determine your specific obligations.
Do I need to contact law enforcement?
You are not always legally required to contact law enforcement, but it is often recommended. The FBI or CISA can provide threat intelligence and assistance. Your legal counsel can advise on the best timing and approach for contacting authorities.
Why Does Response Speed Matter So Much?
Faster containment directly reduces breach cost. Organizations that contain a breach within 200 days save an average of $1.12 million compared to those that take longer. The figures below illustrate the financial case for preparation.
Organizations with incident response teams and tested plans save $2.66 million compared to those without (IBM 2024).
Breaches take an average of 277 days to identify and contain. Faster detection significantly reduces costs.
Organizations that contain breaches in under 200 days save 54% on total breach costs.
United States has the highest average breach cost globally. Early containment is critical.