You Have Been Breached. Now What?
Discovering a data breach is one of the most stressful moments a business owner can face. Your mind races with questions: How bad is it? Who is affected? Am I going to get sued? Can I recover from this?
Take a breath. The next 48 hours matter enormously, and having a clear plan of action can mean the difference between a manageable incident and a business-ending disaster. This guide walks you through exactly what to do, step by step.
Step 1: Contain the Breach (First 2 Hours)
Your immediate priority is stopping the bleeding. Do not panic, but act quickly:
- Isolate affected systems: Disconnect compromised machines from the network. Do not turn them off -- forensic investigators may need data from memory. Just unplug the network cable or disable WiFi.
- Change compromised credentials: Reset passwords for any accounts that may be affected. Start with admin accounts and work outward.
- Preserve evidence: Do not delete logs, emails, or files related to the breach. These are critical for understanding what happened and may be required for legal proceedings.
- Document everything: Start a timeline. Write down when the breach was discovered, who discovered it, what systems are affected, and every action you take from this point forward.
Critical mistake to avoid: Do not "clean up" or restore from backup before investigators have had a chance to examine the affected systems. You could destroy evidence you need later.
Step 2: Assess the Scope (Hours 2-24)
Once you have contained the immediate threat, figure out what actually happened:
- What data was accessed or stolen? Customer names, emails, payment information, social security numbers, health records? The type of data determines your legal obligations.
- How many people are affected? A breach affecting 10 customers has very different implications than one affecting 10,000.
- How did the attacker get in? Was it a phishing email? A weak password? An unpatched vulnerability? Understanding the attack vector helps you close the gap.
- Is the attacker still in your systems? This is why isolation matters. You need to be confident you have removed the threat before reconnecting systems.
If you do not have in-house IT security expertise, this is the time to bring in a professional. A incident response specialist can help you assess the scope quickly and accurately.
Step 3: Notify Your Cyber Insurance Provider (Within 24 Hours)
If you have cyber insurance, contact your provider immediately. Most policies have notification deadlines, typically 24-72 hours. Your insurer may:
- Assign a breach coach (an attorney who specializes in incident response)
- Connect you with approved forensic investigators
- Cover costs for customer notification and credit monitoring
- Provide public relations support
Failing to notify your insurer promptly can jeopardize your coverage. Even if you are not sure the incident qualifies as a "breach," report it. Let the insurer make that determination.
Step 4: Understand Your Legal Notification Requirements (Days 1-3)
Data breach notification laws vary by state and industry. In general:
- All 50 U.S. states have breach notification laws requiring you to notify affected individuals within a specific timeframe (typically 30-60 days, some states require faster notification).
- Industry regulations may impose additional requirements. HIPAA has its own breach notification rules for healthcare data. PCI DSS applies if payment card data was compromised.
- State attorneys general often must be notified if the breach exceeds a certain threshold (commonly 500+ affected residents).
An attorney experienced in data privacy law can help you navigate the specific requirements that apply to your situation. This is not a time to guess.
Step 5: Notify Affected Individuals (Days 3-30)
Breach notification letters should be clear, honest, and helpful. Include:
- What happened (in general terms)
- What data was compromised
- What you are doing about it
- What they can do to protect themselves (credit monitoring, password changes)
- How to reach you with questions
Avoid corporate jargon and legalese. Your customers are people who trusted you with their information. Treat them with respect and transparency.
Step 6: Fix the Root Cause (Week 1-2)
Once the immediate crisis is handled, address the vulnerability that allowed the breach:
- Patch the specific vulnerability that was exploited
- Implement the security controls that were missing (MFA, better access controls, endpoint protection)
- Review and update your security policies
- Retrain employees if the breach involved social engineering
Step 7: Review and Improve Your Defenses (Month 1-3)
Every breach is a painful but valuable learning opportunity. Use it to build a stronger security program:
- Conduct a thorough risk assessment of your entire environment
- Create or update your incident response plan
- Set up monitoring for future attacks
- Consider a penetration test to find other weaknesses before attackers do
The Real Cost of a Data Breach for Small Business
The average cost of a data breach continues to rise, but for small businesses, the hidden costs often hurt more than the direct ones: lost customer trust, damaged reputation, diverted management attention, and the sheer emotional toll on you and your team.
The good news? Businesses that respond quickly and transparently tend to recover faster and retain more customer loyalty than those that delay or try to minimize the incident.
Next Steps
The best time to prepare for a data breach is before it happens. Our Incident Response Playbooks give you step-by-step guides for the five most common cyber incidents, so you are not scrambling to figure out what to do in the middle of a crisis.
If you are dealing with a breach right now, start at Step 1 above and work through methodically. You will get through this.