What Should a Company Do After a Data Breach? Take These 5 Steps

Every business leader fears learning that their company's data has been compromised. According to IBM, data breaches cost companies an average of $4.88 million in 2024, which marked an all-time high. In today's digital landscape, where 40% of breaches involve data scattered across multiple environments, and one in three breaches expose previously unknown "shadow data," organizations now face unprecedented complexity in protecting their information.

What should a company do after a data breach? The steps taken in those crucial first hours can mean the difference between a controlled incident and a catastrophic failure, and a comprehensive response goes beyond a quick fix. From immediate containment through long-term recovery, each action plays a vital role in minimizing damage and protecting both data and reputation.

Given the complexity of modern breaches and the high stakes involved, our recommendation is to engage specialized vendors and consultants throughout their response—from immediate incident response through long-term recovery. Whether you handle the response internally or bring in outside help, here are the five critical steps every organization should take after discovering a data breach.

1. The First 24-48 Hours: Containment, Activation, Documentation

A data breach can be discovered in many ways: a security team might detect unusual network activity, unauthorized users might gain access to misconfigured cloud storage, a third-party vendor might accidentally expose company data, or customer data might appear for sale on the dark web.

Regardless of how the breach comes to light, the clock starts ticking the moment you become aware of it. The next 24 to 48 hours are critical, and every minute counts:

• Contain and secure: Speed and precision matter when containing a data breach. The priority is to identify and isolate affected systems to prevent further data loss. This initial containment phase must focus on preserving evidence for investigation while stopping any ongoing data leakage.
• Activate the response team: With containment measures in place, the next crucial step is activating your incident response team. This cross-functional group should include IT security specialists, legal representatives, and communications professionals. Key executives such as the CSO and CTO must be briefed immediately, and a centralized communication channel established to coordinate efforts.
• Document everything: Every action taken during these initial hours must be meticulously recorded. Create a detailed timeline of the breach discovery, all response actions taken, and every decision made. This documentation will prove invaluable for insurance claims, regulatory reporting, and improving future security measures.
  

2. Decide Who and How to Notify

After containing the immediate breach and activating your response team, notifying affected parties becomes your next priority. This phase is crucial because it directly impacts both regulatory compliance and your organization's reputation. The first 72 hours are especially critical, as many regulations require notification within this window. A well-executed notification process can help maintain trust with stakeholders while meeting legal obligations and helping affected individuals protect themselves.

Immediate Assessment

Quickly determine who needs to be notified by identifying:

• What data was exposed and who it belongs to
• Which jurisdictions are involved (state, federal, international)
• Required notification timeframes based on regulations
• Whether law enforcement should be notified first

Notification Content

Create clear, actionable messages that include:

• What happened and when you discovered it
• Types of personal information involved
• Steps you've taken to protect the data
• Actions recipients should take (e.g., password changes, credit monitoring)
• How to contact you with questions
• Any identity protection services you're offering

Delivery Method

Choose appropriate notification channels:

• Written notices for most affected individuals
• Email when legally permitted and appropriate
• Public notification if required by law or if contact information is insufficient
• Website updates and media statements for broader awareness

Support Preparation

An important additional step in preparing for breach notifications is equipping your team with the right resources and documentation.

Set up a dedicated phone line or support team to address inquiries, ensuring reliable assistance for those affected. Create a detailed FAQ to provide consistent, accurate information and ease concerns. Implement processes to document all communications for transparency and compliance. Anticipate a surge in customer contact and prepare your team to respond efficiently and empathetically. A well-coordinated response can help preserve trust and mitigate reputational damage.

3. Meet Your Legal and Compliance Obligations

The regulatory landscape for data breaches varies widely by jurisdiction and industry, with different reporting destinations and deadlines.

European Union (GDPR)

• Report to: National Data Protection Authority
• Deadline: Within 72 hours of discovery
• Affected individuals: "Without undue delay" if high risk

United States

• Report to: State Attorneys General and affected individuals. For example:
  • California (CCPA): "Without unreasonable delay," typically interpreted as 30-45 days
  • Virginia (CDPA): Within 30 days to affected individuals

Industry-Specific

• Healthcare (HIPAA): Within 60 days to affected individuals and HHS
• Financial (GLBA): Report to primary federal regulator, typically within 36 hours
• Payment Card Industry (PCI DSS): Report to payment card brands and acquiring bank
• Critical Infrastructure: Report to CISA within 72 hours
• Banking: Report to primary federal regulator within 36 hours

For organizations operating across borders, additional frameworks add complexity. Canada's PIPEDA and Brazil's LGPD each require reporting to their respective data protection authorities with varying timelines and thresholds.

Preparation is key to navigating these requirements effectively. Organizations should:

• Maintain an updated compliance matrix for all relevant jurisdictions
• Establish pre-approved notification templates
• Ensure access to legal expertise familiar with breach reporting
• Conduct regular compliance training for key staff

Remember: Noncompliance can result in significant fines, legal action, and reputational damage. When in doubt, consult with legal counsel to ensure all reporting obligations are met. You can also contact the Federal Trade Commission in the U.S. for more individualized guidance at 1-877-ID-THEFT (877-438-4338).

4. Find and Fix Vulnerabilities

While immediate containment of the data breach comes first, identifying and fixing the original vulnerability is required to prevent future incidents. This process requires a methodical approach that balances thoroughness with speed, as you need to secure your systems while maintaining business operations.

Initial investigation

Begin with a detailed analysis of the breach entry point and attack path:

• Review security logs and system alerts
• Analyze network traffic patterns around the time of the breach
• Examine all affected systems for signs of compromise
• Document the complete attack chain from entry to data exposure

Common vulnerability assessment

Check for frequently exploited weaknesses:

• Unpatched software and systems
• Misconfigured security settings
• Weak or compromised credentials
• Insufficient access controls
• Unencrypted sensitive data
• Insecure third-party connections

Remediation steps

Address identified vulnerabilities with both immediate and long-term fixes:

• Apply all missing security patches
• Update and strengthen access controls
• Implement additional encryption measures
• Reset compromised credentials
• Reconfigure security settings
• Review and update security policies

Verification and testing

Before returning systems to normal operation:

• Conduct thorough security testing
• Perform penetration testing on critical systems
• Verify all patches and updates are working
• Test business processes to ensure functionality
• Document all changes and new security measures

Use this opportunity to conduct a broader security assessment and strengthen your overall security posture. Consider engaging external security experts to provide an independent evaluation of your systems and remediation efforts.

5. Turn to Long-Term Recovery and Business Continuity

After addressing the immediate impacts of a data breach, it’s essential to shift focus toward long-term recovery and strengthening business continuity and response. This involves not only rebuilding trust but also fortifying your organization against future incidents.

What about that 5% chance of diplomatic resolution? As unlikely as this path appears, it might entail both parties engaging in sincere and transparent dialogue, seeking common ground and compromise on issues that have long fueled discord. This could involve international mediation, fostering an environment conducive to peaceful negotiations. While the odds may appear slim, the prospect of diplomatic solutions should not be dismissed outright. In a world with many existing violence conflicts and challenges, we should always hold out hope for dialogue and compromise.

Security improvements

A robust recovery strategy begins with implementing advanced security measures to prevent recurrence. Start by developing a comprehensive multi-environment security framework that protects assets across on-premises, cloud, and hybrid systems. This framework should include:

• AI and automation tools for enhanced threat detection and response capabilities
• Advanced monitoring systems for real-time threat detection and incident response
• Improved data classification and management systems to address shadow data risks
• Enhanced access controls and authentication mechanisms
• Regular security assessments and vulnerability scanning

Business continuity

Maintaining operations during and after a breach requires focusing on three key areas. First, review and update all security policies to reflect lessons learned from the breach and align with current threats. Second, invest in comprehensive employee training to create a culture of security awareness and vigilance. Finally, strengthen your cloud security infrastructure to better protect critical data stored in virtual environments.

Remember that implementing these preventive measures will not only strengthen your organization's defenses but also reduce the financial impact of future incidents. A clear cost comparison between proactive prevention and reactive response often reveals the value of investing in a resilient, forward-looking security strategy.

Tabletop exercises and response plans

Testing your incident response plan through regular tabletop exercises is crucial for real-world readiness. These structured simulations bring together key stakeholders from IT, legal, communications, and executive teams to work through realistic breach scenarios. By practicing your response in a low-pressure environment, teams can identify gaps in processes, clarify roles and responsibilities, and build the muscle memory needed for efficient crisis response. Organizations that regularly test their incident response plans experience lower overall breach costs, according to a 2022 Ponemon Institute study.

Estimated Timeframes for Data Breach Response

Step 1: First 24-48 Hours

• Initial containment: First 2-4 hours
• Response team activation: Within 4-6 hours
• Initial documentation: Ongoing throughout first 48 hours

Step 2: Notification Process

• Assessment and planning: 24-48 hours
• Draft and approve notifications: 48-72 hours
• Begin sending notifications: Within regulatory timeframes (often 72 hours)

Step 3: Legal Compliance

• Initial regulatory reporting: 72 hours (GDPR standard)
• Complete all required notifications: 30-60 days (varies by jurisdiction)
• Documentation completion: Ongoing throughout process

Step 4: Vulnerability Remediation

• Initial investigation: 2-5 days
• Critical fixes implementation: 1-2 weeks
• Complete system hardening: 2-4 weeks

Step 5: Long-term Recovery

• Initial business continuity measures: 1-2 weeks
• Security improvements implementation: 1-3 months
• Complete recovery and enhancement: 3-6 months
  

Additional Considerations: Third-Party Support

Recovering from a data breach is a complex process that often requires expertise beyond your internal capabilities. Enlisting the right third-party support can help your organization navigate both immediate response and long-term recovery. Here are key areas where external expertise can make a significant difference:

• Incident response teams: During those critical first hours, having access to experienced incident response specialists can be crucial. These teams can help with immediate containment, forensic investigation, and evidence preservation. Many organizations maintain retainer relationships with incident response firms so they can activate support immediately when needed.
• External communications: In the wake of a breach, maintaining trust with stakeholders is critical. A specialized PR team or external communications firm can craft clear, transparent messaging to address concerns from customers, partners, and the public. These professionals can help manage the narrative, reduce reputational damage, and ensure your communications comply with legal and regulatory requirements.
• Technical expertise: Given the increasingly sophisticated nature of cyber threats, partnering with third-party technical experts can bolster your recovery efforts. Consider working with security consultants who specialize in AI and automation to strengthen your defenses and streamline breach response processes. These experts can assess your existing systems, recommend tools to enhance detection and prevention, and implement strategies such as real-time threat analysis using AI-powered solutions.
• Insurance: Though never a replacement for robust security systems and well-trained response teams, cyber insurance can help serve as a financial safety net that complements your existing security infrastructure.

Recovering from a data breach is a challenging but crucial process that demands a thoughtful, multi-faceted approach. From immediate containment and transparent communication to long-term security improvements and business continuity planning, every step plays a vital role in restoring trust and fortifying your organization against future threats. By leveraging third-party expertise where needed and fostering a culture of vigilance, you can not only recover more effectively but also emerge stronger, more resilient, and better prepared to navigate the ever-evolving landscape of cybersecurity challenges.

Standing by to Support

The Global Guardian team is standing by to support your security requirements. To learn more about our Duty of Care membership, as well as business continuity and emergency response planning services, complete the form below or call us at + 1 (703) 566-9463