Active Breach Response Protocol

Data Breach
Emergency Response

Stop. Breathe. Follow this sequence.
The first 72 hours are criticalβ€”every action you take now affects your breach outcome.

24/7 Response
2-Hour Contact
Global Coverage

Get Emergency Help Now

We'll connect you with incident response specialists within 2 hours.

Max 500 characters. Keep it brief.

Your information is encrypted. We'll contact you within 2 hours max.

⚠️

Critical: Do NOT

  • β€’ Delete any files or logs (destroys evidence)
  • β€’ Turn off affected systems before forensic imaging (loses volatile memory)
  • β€’ Publicly disclose before consulting legal counsel
  • β€’ Pay ransom without expert consultation
  • β€’ Attempt to "clean up" before investigation

72-Hour Response Timeline

0-4
HOURS

CONTAIN

Your immediate priority is stopping the breach from spreading while preserving evidence. Every action must be documented with precise timestamps.

Isolate affected systems from network

Disconnect network cables. Do NOT power off. Isolate but preserve.

Preserve all logs immediately

Firewall, server, application, authentication logs. They may auto-rotate.

Activate incident response team

IT Lead, CISO, Legal Counsel, CEO/Executive, Communications.

Document everything with timestamps

Who discovered it, when, what was observed, actions taken. Be precise.

Secure physical evidence

Lock server rooms. Restrict access. Preserve chain of custody.

4-24
HOURS

INVESTIGATE

Now you assess the scope and engage experts. This phase determines your notification obligations and recovery path.

Engage external IR firm

Professional forensic analysis. Objective investigation. Expert testimony if needed.

Notify legal counsel immediately

Establishes attorney-client privilege. Critical for litigation protection.

Assess breach scope

Which systems? What data types (PII, PHI, financial)? How many records? Entry point?

Determine notification obligations

GDPR: 72 hours. HIPAA: 60 days. State laws vary. Check all applicable jurisdictions.

Check cyber insurance policy

Notify carrier within required timeframe. Understand coverage limits and requirements.

24-48
HOURS

COMMUNICATE

Based on investigation findings, prepare and execute your notification strategy. Transparency builds trust; delay damages reputation.

Prepare regulatory notifications

GDPR: 72-hour deadline. File with supervisory authority. Document the process.

Draft customer notification

Clear, factual, actionable. What happened, what data, what they should do.

Prepare internal communications

Employee awareness. What they can/cannot say. Point of contact for questions.

Engage PR/communications firm (if needed)

For public-facing breaches. Media training. Statement preparation.

Set up support infrastructure

Dedicated hotline. FAQ page. Credit monitoring vendor (if offering).

48-72
HOURS

REMEDIATE

With investigation insights, begin fixing vulnerabilities and hardening systems. This prevents reinfection and demonstrates due diligence.

Patch exploited vulnerabilities

Apply security patches. Update outdated software. Close attack vector.

Reset all potentially compromised credentials

User passwords. Service accounts. API keys. Admin credentials. Force resets.

Deploy enhanced monitoring

Increased logging. Alert thresholds. Watch for reinfection or lateral movement.

Schedule post-incident review

What happened? What worked? What failed? Document lessons learned.

Update incident response plan

Incorporate lessons. Update contacts. Improve procedures.

Frequently Asked Questions

What is the first thing I should do during a data breach?

Isolate affected systems immediately to prevent the spread of the attack, but do NOT turn them off. Turning off systems can destroy volatile memory which is critical for forensic investigation. Disconnect them from the network instead.

Should I pay the ransom?

The FBI and most security experts advise against paying ransoms, as it does not guarantee data recovery and funds criminal activity. However, this is a business decision. Consult with legal counsel and a professional ransomware negotiator before making any decisions.

When do I need to notify customers?

Notification timelines vary by jurisdiction. GDPR requires notification within 72 hours. HIPAA requires notification within 60 days. State laws vary. Consult legal counsel immediately to determine your specific obligations.

Do I need to contact law enforcement?

You are not always legally required to contact law enforcement, but it is often recommended. The FBI or CISA can provide threat intelligence and assistance. Your legal counsel can advise on the best timing and approach for contacting authorities.

Related Resources

Ransomware Response

Specific guidance for ransomware attacks, including negotiation and payment decisions.

View Guide β†’

First 24 Hours Checklist

A printable checklist for the immediate aftermath of a breach discovery.

Download Checklist β†’

Why Speed Matters

$2.66M
Savings with IR Team

Organizations with incident response teams and tested plans save $2.66 million compared to those without (IBM 2024).

277 days
Average Detection Time

Breaches take an average of 277 days to identify and contain. Faster detection significantly reduces costs.

54%
Cost Reduction

Organizations that contain breaches in under 200 days save 54% on total breach costs.

$9.36M
US Average Breach Cost

United States has the highest average breach cost globally. Early containment is critical.