Lora Vaughn | Vaughn Cyber Group
Security Strategy Updated January 2026

Data Breach Response: What to Do in the First 72 Hours

Step-by-step guide for responding to a data breach. Hour-by-hour actions for containment, investigation, notification, and communication. Don't panic. Follow this checklist.

Lora Vaughn

2x CISO | 20+ years in banking, fintech & SaaS

Disclaimer: This guide provides general information, not legal advice. Breach notification requirements vary by jurisdiction, industry, and data type. Always consult with qualified legal counsel for your specific situation. Requirements and timelines referenced here may change.

You just discovered a breach. Maybe it’s ransomware. Maybe you found customer data on the dark web. Maybe a vendor called to tell you your credentials are compromised.

The next 72 hours will determine whether this becomes a manageable incident or a company-ending crisis.

Don’t panic. Follow this checklist.

The First 4 Hours: Contain

Your only job right now is to stop the bleeding.

Do these things immediately:

  1. Isolate affected systems - Disconnect from network, but don’t shut down (you’ll destroy evidence in memory)
  2. Disable compromised accounts - If you know which accounts were used, disable them now
  3. Change critical credentials - Admin accounts, service accounts, API keys that may be compromised
  4. Block known malicious activity - IPs, domains, file hashes if your team has identified them
  5. Start a timeline document - Every action, every discovery, with timestamps

Don’t do these things:

  • Don’t shut down systems (destroys volatile evidence)
  • Don’t start restoring from backups yet (you don’t know if they’re clean)
  • Don’t communicate via email (assume it’s compromised)
  • Don’t talk to the press
  • Don’t pay ransom without expert guidance

Hours 2-6: Assemble Your Team

You can’t do this alone. Get the right people involved immediately.

Core response team:

  • IT/Security Lead - Runs technical investigation and containment
  • Legal Counsel - Guides notification requirements and liability
  • Executive Sponsor - Makes resource and communication decisions
  • Communications Lead - Handles internal and external messaging

External resources to contact:

  • Cyber insurance carrier - Call your broker immediately. They have breach response resources and will assign counsel and forensics.
  • Forensics firm - Your insurance carrier will recommend one, or use one you’ve pre-selected
  • Outside legal counsel - Privacy/breach response specialist (insurance may cover this)

Set up secure communications:

  • Use a separate communication channel (Signal, out-of-band phone calls)
  • Create a new Slack workspace or Teams instance if needed
  • Assume your normal email and chat are compromised

Hours 6-24: Investigate

Now you need to understand what happened.

Key questions to answer:

  1. What data was accessed? - Customer PII, financial data, health records, credentials
  2. How many records? - This determines notification scope and regulatory requirements
  3. What was the attack vector? - Phishing, vulnerability exploitation, credential stuffing, insider
  4. How long was the attacker in your systems? - Timeline matters for scope assessment
  5. Was data exfiltrated? - Access vs. actual theft are different legally

Evidence to preserve:

  • Firewall and proxy logs
  • Authentication logs
  • Endpoint detection logs
  • Memory dumps from affected systems
  • Email headers from phishing attempts
  • Forensic images of compromised systems

Don’t:

  • Restore systems yet (you’ll destroy evidence)
  • Interview employees without legal guidance
  • Delete anything
  • Assume you know the full scope

Work with legal counsel to understand your obligations.

Notification requirements vary by:

  • State laws - Most states require notification within 30-72 hours
  • Data type - Different rules for PII, financial, health data
  • Number affected - Some thresholds trigger additional reporting
  • Industry regulations - HIPAA, GLBA, PCI all have specific requirements

Common notification requirements:

  • GDPR - 72 hours to notify supervisory authority (if EU residents affected)
  • HIPAA - 60 days for affected individuals, immediate for HHS if 500+ affected
  • State AGs - Most states require notification, timelines vary
  • SEC - Public companies have disclosure obligations

Document everything:

  • When you discovered the breach
  • What you knew and when
  • All actions taken
  • Decisions made and rationale

This documentation protects you legally.

Hours 48-72: Communicate

Now it’s time to tell people.

Customer notification should include:

  • What happened (factual, without speculation)
  • What data was involved
  • What you’re doing about it
  • What they should do (change passwords, monitor accounts)
  • How to get more information (FAQ, phone number)
  • Credit monitoring offer if appropriate

Don’t:

  • Speculate about things you don’t know
  • Blame the victim (“you should have had MFA”)
  • Minimize the incident
  • Promise things you can’t deliver

Internal communications:

  • Brief all employees before external announcement
  • Provide talking points for customer-facing staff
  • Set up an internal FAQ
  • Establish clear escalation paths

Executive and board briefing:

  • Incident timeline
  • Current scope and impact
  • Response actions taken
  • Notification status
  • Ongoing investigation status
  • Resource needs

After 72 Hours: Recovery

The immediate crisis is contained. Now you rebuild.

Technical recovery:

  • Clean and restore affected systems (with forensics approval)
  • Reset all credentials company-wide
  • Patch the vulnerability that was exploited
  • Increase monitoring on affected systems
  • Implement additional controls

Business recovery:

  • Handle customer inquiries
  • Monitor for additional exposure (dark web, etc.)
  • Support ongoing investigation
  • Prepare for regulatory inquiries

Post-incident activities:

  • Root cause analysis
  • Lessons learned session
  • Update incident response plan
  • Security program improvements
  • Board report on remediation progress

When to Get Help

Call for help if:

  • You don’t have an incident response plan
  • The breach involves ransomware
  • You’re unsure about notification requirements
  • Customer data was exfiltrated
  • The attacker is still active
  • You’re getting press inquiries

Our Post-Incident Advisory services provide strategic guidance through breach response, including root cause analysis, regulatory notification support, board communication, and building a remediation roadmap.

Prevention: Build Your Plan Before You Need It

The worst time to create an incident response plan is during an incident.

Have these ready:

  • Written incident response plan with contact information (our Startup Security Kit includes a template)
  • Pre-selected forensics firm (with contract in place)
  • Cyber insurance policy (know what it covers)
  • Notification templates (legal pre-approved)
  • Communication channels for out-of-band coordination

Test your plan:

  • Run tabletop exercises annually
  • Test backup restoration quarterly
  • Verify contact information is current
  • Review and update the plan after any incident

Need help building an incident response plan or recovering from a breach? Book a free consultation to discuss your situation.

Related:

Get security insights that actually help

Practical tips for startups, SMBs, and community banks. No spam. No vendor pitches.

About Lora Vaughn

Lora is a 2x CISO with 20+ years of experience in banking, fintech, and SaaS. She helps businesses build practical security programs that actually work. No buzzwords. No bloat. Just real security that makes sense for your business.

Read more on Lora's personal blog → Connect on LinkedIn →

Need help with cybersecurity?

Let's talk about how I can help your business get secure without the bloat.

Back to Resources