A data breach is one of the most disorienting events a business can face. The first instinct for many organizations is to focus entirely on the technical response: find out what happened, fix the vulnerability, and restore normal operations. Those steps are necessary, but they are not sufficient. The legal obligations that attach to a breach begin running from the moment you discover the incident, and missing those obligations can transform a manageable situation into a much more serious one.
This guide walks through what you need to do in the first 72 hours, with attention to both the operational and legal dimensions of a breach response.
Step 1: Contain the Incident
Your first priority is to stop the bleeding. Containment means preventing the incident from expanding in scope while preserving as much evidence as possible. These two goals can sometimes be in tension: the fastest way to stop an attack may also destroy forensic evidence that you will need later.
Practical containment steps depend on the nature of the incident, but commonly include isolating affected systems from the network, revoking compromised credentials, disabling accounts or access paths that may have been exploited, and engaging your incident response team or a third-party forensics firm. If you do not have a pre-existing relationship with a forensics vendor, this is the moment you wish you did. Retaining outside forensics counsel early also helps establish attorney-client privilege over the investigation, which can protect the findings from disclosure in subsequent litigation.
Do not wipe or restore affected systems before documenting them. Forensic preservation matters both for understanding what happened and for demonstrating to regulators and plaintiffs that you conducted a thorough investigation.
Step 2: Assess the Scope
Once the immediate incident is contained, you need to understand what data was affected. The legal obligations that flow from a breach depend heavily on what types of data were exposed, how many individuals are affected, and where those individuals are located.
Key questions to answer as quickly as possible:
- What categories of data were accessible in the affected systems?
- Was personal information involved, and if so, what types (names, Social Security numbers, financial account information, health information, login credentials)?
- How many individuals are potentially affected?
- In which states or countries do the affected individuals reside?
- Was the data actually accessed or exfiltrated, or merely exposed without confirmed access?
- Are any of the affected individuals employees, customers, or business partners?
The answers to these questions determine which notification laws apply and what your obligations are. Different laws impose different thresholds, timeframes, and content requirements for breach notifications.
Step 3: Identify Your Notification Obligations
This is where legal counsel becomes essential. The notification landscape is fragmented and genuinely complex, with overlapping obligations at the federal, state, and international levels.
GDPR: 72 Hours
If your business processes personal data of individuals in the European Union or European Economic Area, the General Data Protection Regulation requires you to notify the relevant supervisory authority within 72 hours of becoming aware of a breach, where the breach is likely to result in a risk to the rights and freedoms of natural persons. This 72-hour clock is strict and has been enforced aggressively by regulators across the EU. If notification within 72 hours is not possible, you must provide the notification without undue delay and include reasons for the delay.
If the breach is likely to result in a high risk to individuals, you must also notify the affected individuals directly without undue delay.
U.S. State Laws: Variable Timelines
All 50 states have enacted data breach notification laws, but the requirements vary significantly. Some states require notification within 30 days of discovery; others allow 45, 60, or 90 days. Several states, including Florida and Colorado, have among the shorter timelines at 30 days. California's law requires notification in the most expedient time possible and without unreasonable delay.
The content requirements also vary. Some states require specific information about the nature of the breach, the data elements exposed, and the steps individuals can take to protect themselves. Others have more general requirements. A few states require notifying the state attorney general in addition to affected individuals.
Sector-Specific Requirements
If your business operates in a regulated sector, additional requirements may apply. HIPAA imposes specific breach notification requirements for covered entities and business associates. Financial institutions subject to the FTC Safeguards Rule must notify the FTC of certain breaches. Payment card industry standards impose their own notification requirements for merchants and service providers.
You may have contractual notification obligations as well. Review your customer agreements, vendor contracts, and cyber insurance policy immediately after discovering a breach. Many contracts require prompt notice to business partners, and your insurance coverage may depend on notifying the insurer within a specified timeframe.
Step 4: Document Everything
From the moment you discover the breach, begin maintaining a detailed written record of everything your organization does in response. Document when the breach was discovered, who discovered it, what steps were taken and when, what decisions were made and by whom, and what information was known at each point in time.
This documentation serves multiple purposes. It demonstrates to regulators that you responded promptly and in good faith. It supports your defense if litigation follows. It helps your forensics team reconstruct the timeline. And it is essential for completing the breach notifications that most laws require, which typically must describe when the breach was discovered and what actions were taken.
Common Mistakes That Create Additional Liability
Several patterns reliably make a breach worse from a legal standpoint:
- Delaying notification hoping the incident stays quiet. Regulators and plaintiffs look unfavorably on companies that sat on known breach information. The delay itself becomes an independent basis for liability.
- Communicating about the breach over unprotected channels. Internal emails and Slack messages about a breach may be discoverable in litigation. Route sensitive communications through legal counsel to preserve privilege where possible.
- Issuing public statements before you understand the scope. Premature statements that turn out to be inaccurate create credibility problems and potential securities law issues for public companies.
- Failing to preserve evidence. Restoring systems from backups before forensic imaging destroys evidence and signals to regulators that your investigation was inadequate.
- Underestimating the scope. Initial assessments often undercount affected individuals. Build in margin for upward revision and do not make representations you cannot stand behind.
After 72 Hours
The 72-hour window is the most intense phase of a breach response, but it is not the end. Notification letters to affected individuals, credit monitoring services, regulatory filings, forensic reports, and potentially public disclosure all follow. If litigation results, the quality of your initial response will be scrutinized in detail.
The companies that navigate data breaches most successfully are those that have thought through their response plan before an incident occurs: a tested incident response plan, pre-established relationships with forensics and legal counsel, cyber insurance, and clear internal protocols for escalation and decision-making. Preparation does not prevent breaches, but it makes the response materially faster and less costly when one occurs.