๐จ Small Business Data Breach Response: Your First 72 Hours Action Plan
๐ฅ HOUR 1: Emergency Discovery Protocol
โ STOP - Don’t Clean Anything Yet!
Your instinct will be to fix everything immediately. DON’T.
โก First 15 Minutes - Emergency Checklist:
โข Who found it? When exactly?
โข What did they see?
โข Screenshot everything possible
โข Evidence preservation is crucial
โข Don't delete anything
โข Don't "fix" or clean systems yet
โข Disconnect from network
โข Unplug ethernet cables
โข Turn off WiFi (don't power down)
โข Call your IT person immediately
โข Alert key management
โข Prepare for long hours ahead
๐ Initial Damage Assessment:
โข What type of data affected?
โข Customer/employee/financial/health records?
โข Rough estimate of records involved?
โข Currently compromised or historical?
โข Business operations disrupted?
โข Signs of ongoing unauthorized access?
๐ HOUR 1-2: Emergency Communications
๐ Call #1: Your Cyber Insurance Provider FIRST
Before your lawyer, IT consultant, or business partner!
๐ฑ What to tell them:
- “We’ve discovered a potential data breach”
- Basic facts you’ve gathered so far
- Request immediate incident response team
- Ask for preferred local forensic investigators
๐ Call #2: Law Enforcement (When Required)
๐จ You MUST involve police immediately if:
Suspected foreign involvement or professional criminal organization
Computers/devices containing data were stolen
Extortion demands or ransom notes received
Some state laws require immediate police notification
๐ ๏ธ HOUR 2-6: Professional Response Team Assembly
๐ฌ Forensic Investigation Team
What they’ll do in the first few hours:
Without disrupting evidence or business operations
How they got in and timeline reconstruction
Exactly what information was compromised
Immediate steps to prevent further damage
โ๏ธ Legal Counsel Engagement
Specialized cyber/privacy law attorney will:
All relevant jurisdictions and deadlines
Attorney-work-product for investigation
Claims process and policy coordination
Potential investigations and compliance
PR/Crisis Management (If Customer Data Involved)
Crisis communications team handles:
- Media statement preparation
- Customer communication strategy
- Employee communication plan
- Social media monitoring and response
- Stakeholder notification coordination
Hour 6-24: Containment and Scope Assessment
Technical Containment
Steps the forensic team will take:
- Network segmentation: Isolate affected systems without destroying evidence
- Access control review: Disable compromised accounts, reset credentials
- Malware analysis: Understand attack tools and persistence mechanisms
- Backup assessment: Determine if clean backups exist for restoration
- Vulnerability patching: Address attack vectors while preserving evidence
Data Impact Assessment
Key questions being answered:
- What specific data elements were accessed? (Names, SSNs, payment cards, health info)
- How many individuals are affected? (Customers, employees, vendors)
- What was the timeframe of unauthorized access? (Days, months, years)
- Was data copied/exfiltrated or just accessed? (Viewing vs. theft)
- What’s the likelihood of identity theft or fraud? (Risk assessment)
Business Impact Evaluation
Immediate operational concerns:
- Can business operations continue safely?
- What systems need to remain offline?
- How will you serve customers during downtime?
- What’s the financial impact of operational disruption?
- Are there supply chain or vendor implications?
Hour 12-48: Legal Requirement Analysis
State Notification Law Requirements
States with strictest timelines:
- California (CCPA): 72 hours to attorney general, 30 days to consumers
- New York (SHIELD Act): “Without unreasonable delay” (interpreted as 72 hours)
- Massachusetts: Immediate notification to AG, 60 days to consumers
- Illinois (BIPA): 72 hours to AG for biometric data
Multi-state considerations: You must comply with the STRICTEST law that applies. If you have customers in multiple states, you’re subject to all their laws.
Federal Law Requirements
HIPAA (Healthcare):
- 60 days to patients (unless breach affects <500 people)
- 60 days to HHS (Department of Health and Human Services)
- Media notification if breach affects >500 residents in a state
GLBA (Financial Services):
- Customer notification “as soon as reasonably practicable”
- Federal regulators notification varies by institution type
FERPA (Educational Records):
- “As soon as practicable” to affected parents/students
- Department of Education notification required
Industry-Specific Requirements
Payment Card Industry (PCI DSS):
- Acquiring bank notification: Within 72 hours
- Card brand notification: Varies by brand (24-72 hours)
- Forensic investigation: Must use PCI-approved investigator
Professional Services:
- Bar associations: Attorney-client confidentiality breaches
- Medical boards: Patient information breaches
- Accounting boards: Client financial information breaches
Hour 24-72: Notification Preparation and Execution
Customer Notification Requirements
What the notification must include (typical state requirements):
- Description of incident: What happened, when discovered
- Types of information involved: Specific data elements compromised
- Steps taken: What you’ve done to address the breach
- Contact information: How customers can reach you with questions
- Recommended actions: What customers should do to protect themselves
- Identity protection services: Free credit monitoring/identity theft services
Notification methods ranked by acceptability:
- First-class mail: Preferred by most states
- Email: Acceptable if you have current email addresses
- Website posting: Only if other methods aren’t feasible
- Media publication: Last resort for large-scale breaches
Regulatory Notifications
State Attorneys General: Most states require notification before or simultaneously with customer notification
Information typically required:
- Number of affected residents in that state
- Description of personal information involved
- Timeline of the incident and discovery
- Steps taken to address the breach
- Contact information for follow-up
Federal Trade Commission: While not legally required to notify the FTC, many attorneys recommend it for major breaches to demonstrate cooperation.
Sample Timeline: Retail Business Breach
Hour 1: Manager discovers customer payment data may be compromised Hour 1.5: Insurance carrier notified, forensic team dispatched Hour 4: Forensic team begins investigation, determines card data accessed Hour 8: Legal team assembled, begins notification law analysis Hour 16: Scope determined - 12,000 customers affected across 15 states Hour 24: Notification letters designed and legal-reviewed Hour 48: Attorney general notifications submitted in all affected states Hour 60: Customer notification letters printed and mailed Hour 72: Media statement released, customer service lines staffed
Common 72-Hour Mistakes That Cost Big
Technical Response Errors
Mistake #1: Immediately shutting down all systems Better approach: Isolate systems while preserving evidence
Mistake #2: Trying to “clean” infected systems before investigation Better approach: Image systems first, then clean/rebuild
Mistake #3: Assuming the breach is contained without thorough investigation Better approach: Assume ongoing compromise until proven otherwise
Legal and Compliance Errors
Mistake #4: Waiting to see “how bad it is” before notifying authorities Better approach: Notify immediately based on potential, not confirmed, scope
Mistake #5: Assuming cyber insurance covers all legal requirements Better approach: Get separate privacy law counsel familiar with all applicable laws
Mistake #6: Thinking you have more time than you actually do Better approach: Assume the shortest possible deadlines apply to your situation
Communication Mistakes
Mistake #7: Trying to handle media inquiries yourself Better approach: “We are investigating and will provide updates soon” - then defer to PR professionals
Mistake #8: Over-promising in initial communications Better approach: Under-promise and over-deliver on your response
Mistake #9: Inconsistent messaging across different audiences Better approach: Single approved messaging coordinated across all communications
Industry-Specific 72-Hour Considerations
Healthcare Practices
Additional immediate steps:
- Patient care continuity assessment
- Medical device security review
- HIPAA risk assessment initiation
- Business associate notification
- Potential OCR (Office of Civil Rights) preparation
Unique challenges:
- Cannot shut down systems that affect patient care
- Stricter privacy law requirements
- Professional licensing board implications
- Malpractice insurance coordination
Legal Firms
Additional immediate steps:
- Attorney-client privilege assessment
- Bar association notification consideration
- Trust account security verification
- Court filing system impact review
- Professional liability insurance notification
Unique challenges:
- Confidentiality obligations beyond privacy laws
- Professional conduct rule implications
- Potential conflicts of interest in representation
- Court filing deadlines that can’t be missed
Restaurants and Retail
Additional immediate steps:
- Payment processor notification
- PCI DSS forensic investigator engagement
- Point-of-sale system security assessment
- Supply chain vendor notifications
- Sales impact assessment and planning
Unique challenges:
- High customer volume makes notification expensive
- Payment card brand investigation requirements
- PCI compliance audit implications
- Seasonal business impact considerations
Preparing Your 72-Hour Response Plan
Essential Contacts List
Create and maintain current contact information for:
- Cyber insurance carrier and policy number
- Forensic investigation firms (2-3 options)
- Privacy/cyber law attorneys (2-3 options)
- Crisis PR firms (if applicable to your size)
- Key employees’ after-hours contacts
- Major vendors and business partners
- IT support providers
Pre-Incident Documentation
Prepare these documents now:
- Current network diagrams and system inventories
- Data inventory (what personal information you collect/store)
- Vendor/contractor list with data access
- Employee contact information and notification method
- Customer database contact information status
- Incident response plan checklist
- Template letters for customer notification
Training and Testing
Quarterly activities:
- Review and update incident response plan
- Test contact information (call the numbers)
- Conduct tabletop exercises with key staff
- Review and update cyber insurance policy understanding
- Update legal requirement knowledge (laws change)
- Verify backup and recovery procedures
Reality check: The first 72 hours after discovering a breach will be chaotic and stressful. Having a clear plan, good preparation, and professional help makes the difference between a manageable crisis and a business-ending catastrophe.
Take action now: Create your incident response plan using our state-specific notification requirements and consider whether your current cyber insurance coverage provides adequate breach response support.