Data Breach Response Checklist
A cyber attack is NOT the time to figure out what to do. Print this checklist now so you're prepared when (not if) it happens.
📞 Your Emergency Contacts · Fill This Out NOW
Primary: _________________________
Phone: _________________________
Secondary: _________________________
Phone: _________________________
Cyber Insurance: _________________________
IT Security: _________________________
Legal Counsel: _________________________
Forensic Firm: _________________________
Contain & Assess the Breach
Isolate affected systems immediately
Disconnect infected computers from the network. Don't turn them off. That can destroy forensic evidence. Unplug network cables and disable WiFi.
Document everything you see
Take screenshots, write down times, note which systems are affected. This evidence is critical for investigation and insurance claims.
Notify your IT security team
Call your internal IT or managed security provider immediately. If you don't have one, contact your cyber insurance provider's 24/7 hotline.
Determine the scope of the breach
What systems are affected? What data might be compromised? Customer PII, payment info, employee records, intellectual property?
Preserve firewall and server logs
Backup logs before they rotate or get overwritten. These contain the forensic evidence needed to understand what happened.
Activate Your Response Team
Contact your cyber insurance provider
Call the 24/7 hotline on your policy. They will coordinate forensic investigation, legal counsel, and begin the claims process. This is the most important call.
Engage forensic specialists
Your insurance will connect you with pre-approved forensic firms. They will investigate what happened, what data was stolen, and how the attackers got in.
Notify executive leadership
Keep CEO, board members, and key stakeholders informed. They need to know the scope, potential impact, and response plan.
Secure physical premises if needed
If attackers had physical access or if insider threat is suspected, secure affected areas and preserve physical evidence.
Change all passwords
Force password changes for all affected accounts and any accounts that might share credentials. Enable multi-factor authentication everywhere possible.
Investigation & Notification
Complete forensic investigation
Work with forensic team to determine exactly what happened, what data was accessed, and how the attackers gained entry. This determines your notification obligations.
Determine notification requirements
Legal counsel and forensic team will determine what notifications are required based on data types and jurisdictions. Requirements vary by state and industry.
Prepare customer notifications
Draft notification letters explaining what happened, what data was affected, what you're doing about it, and what customers can do to protect themselves.
Set up credit monitoring
If personal data was breached, arrange for credit monitoring services for affected individuals. Your cyber insurance typically covers this cost.
Notify regulatory agencies if required
HIPAA breaches require HHS notification within 60 days. Many states require notification within 30-45 days. Financial institutions have additional requirements.
Recovery & Communication
Send customer notifications
Mail notifications to all affected individuals. Include clear explanation, credit monitoring info, and your contact information for questions.
Prepare public statement
Work with PR/communications team on press statement if breach is significant. Be transparent about what happened and what you're doing to prevent future incidents.
Restore systems from clean backups
After forensic investigation is complete, rebuild systems from verified clean backups. Change all credentials again before going back online.
Review and update security
Implement security improvements identified during forensic investigation. Update policies, train employees, patch vulnerabilities.
Lessons Learned & Prevention
Conduct post-incident review
Document what worked, what didn't, and what you'd do differently. Use this to update your incident response plan.
Review insurance coverage
Work with your insurance provider on the claim. Review coverage limits and consider if you need more protection based on what you learned.
Update incident response plan
Based on lessons learned, update your written incident response plan. Schedule regular drills and tabletop exercises.
Ongoing security training
Conduct regular security awareness training for all employees. Test them with simulated phishing exercises.
Critical Reminders
⚠️ Don't Pay Ransom Without Expert Help
If you have cyber insurance, your policy covers ransomware payments. Contact them FIRST before engaging with attackers. They have experience negotiating and can often reduce payments.
⚠️ Document Everything
Every action you take, every person you contact, every decision you make. Write it down. This documentation is critical for insurance claims, legal defense, and future prevention.
⚠️ Meet Your Notification Deadlines
State laws typically require notification within 30-60 days. HIPAA requires notification within 60 days. Missing deadlines can result in additional fines and legal liability.
⚠️ Your Cyber Insurance is Your Best Friend
Your cyber insurance policy isn't just for paying claims. They provide 24/7 incident response, forensic experts, legal counsel, and claims handling. USE THEM from minute one.
Quick Reference: Notification Timelines
| Requirement | Deadline | Who to Notify |
|---|---|---|
| HIPAA Breach | 60 days | HHS, affected individuals |
| Most States | 30-60 days | Affected individuals, AG |
| PCI-DSS (payment card) | Immediate | Card brands, acquiring bank |
| SEC (public companies) | 4 business days | SEC, public disclosure |
| GDPR (EU citizens) | 72 hours | Supervisory authority |
These are general guidelines. Consult with legal counsel for your specific situation.
Be Prepared Before a Breach Happens
The best time to get cyber insurance was before you needed it. The second best time is now. Don't wait until it's too late.