Discovering a data breach is not the time to figure out your response plan. Here is what to do in the first 72 hours — before your lawyer has responded, before you have drafted a statement, and before the clock runs out on your notification obligations.
Before the breach happens: A data breach response plan only works if it exists before you need it. Decide right now: who leads the internal response, and which attorney handles breach notifications. Without those two decisions made in advance, the first 72 hours will be chaos.
The 72-Hour Timeline
Contain the breach immediately. Before anything else — stop the bleeding. Disable compromised credentials, take affected systems offline if necessary, block the attack vector if identified. Do not delete anything — evidence preservation is critical. Document what you are doing and when.
Notify your breach response team. Call your attorney. Call your IT contact. Alert your leadership. Do not post anything publicly. Do not contact affected individuals yet. Get the right people in a room — or on a call — before any external communication.
Assess what was accessed. Work with your IT contact to determine: what data was exposed, how many individuals are affected, whether the breach is still active or contained, and what type of personal information was involved. The category of data determines your notification obligations.
Determine your notification obligations. Every US state has a breach notification law. Most require notification to affected residents within 30–90 days of discovery. Some require Attorney General notification. If sensitive data was exposed — Social Security numbers, financial account information, health data — several states have shorter timelines. Your attorney needs to determine which laws apply based on where affected individuals reside.
Document everything. Create a breach log: when it was discovered, what happened, what data was affected, how many individuals, what steps were taken, and when. This documentation is your evidence of good-faith response if regulators ever ask. It is also required for your cyber insurance claim.
Begin consumer notification process. If notification is required, start drafting consumer notices with your attorney. Under most state laws, the notice must include: what happened, what information was involved, what you are doing about it, and what affected individuals can do to protect themselves. Do not send notices without attorney review.
Data Types That Trigger Heightened Obligations
Not all personal data carries the same notification requirements. These categories trigger stricter timelines and broader notification obligations in most states:
- Social Security numbers or government ID numbers
- Financial account numbers combined with access credentials
- Health or medical information
- Biometric data processed for identification
- Login credentials (username and password combinations)
- Precise geolocation data
What Most SMB Breaches Actually Look Like
Most small business breaches are not dramatic. They are a phished employee credential, an exposed database, a misconfigured cloud storage bucket, or a device left somewhere it should not be. The legal obligations are identical regardless of how it happened.
The businesses that handle breaches well are the ones that had a plan before it happened — not because they are larger or more sophisticated, but because they took 90 minutes to write one down.
Building Your Response Plan Now
Your plan does not need to be long. At minimum it should include:
- The name and contact for your breach response attorney
- The name and contact for your IT incident response contact
- A list of the types of personal data your business holds
- The states where your customers and employees reside
- The notification timelines required by those states
Need a breach response plan?
We can help you build one before you need it — and be in your corner if you ever do.
Book a Free Consultation