The First 24 Hours After a Data Breach: A Minute-by-Minute Response Guide

By Catherine Shaw - Breach Response Coordinator & Former Big 4 Incident Response Lead

At 6:23 AM on a Tuesday, I received a call that would become one of the most chaotic days of my career. “Catherine, we think we’ve been breached. There’s a ransom note on our server. What do we do?”

The caller was the CFO of a 200-person manufacturing company. Over the next 24 hours, I guided them through containment, forensics, legal notifications, and crisis communications. We made decisions that saved them an estimated $400,000 in potential losses—and avoided several mistakes that could have voided their insurance coverage.

After coordinating response to over 150 data breaches during my time leading incident response at a Big 4 firm, I’ve developed a minute-by-minute playbook for those critical first 24 hours. The decisions you make in this window often determine whether an incident costs $50,000 or $5,000,000.

Immediate Actions Checklist

Print this. Put it somewhere accessible. You won’t have time to think clearly during an actual incident.

Hour-by-Hour Breakdown

Hour 0-1: Discovery and Initial Response

Minute 0-5: Confirm the Incident Don’t assume the worst, but don’t dismiss warning signs. Signs of a breach include:

• Ransom notes or unusual messages
• Encrypted files you can’t access
• Unusual network activity
• Security tool alerts
• Reports from customers about phishing from your domain
• Unauthorized access notifications

Minute 5-15: Make the Critical Call Call your cyber insurance carrier’s 24/7 breach hotline. This is the single most important action.

Why this matters:

• They’ll assign a breach coach (attorney) who controls privilege
• All subsequent communications through the attorney are protected
• They’ll coordinate approved vendors (forensics, PR, legal)
• Starting this process wrong can void coverage

What to tell them:

• What you’ve observed (facts only)
• When you discovered it
• What systems appear affected
• What you’ve done so far (hopefully nothing yet)

Minute 15-30: Establish Command Structure While waiting for your breach coach callback:

• Identify your internal incident commander (usually CEO or CTO)
• Create a secure communication channel (assume your email is compromised)
• Start an incident log with timestamps

Minute 30-60: Initial Containment Your breach coach will guide this, but general principles:

• Isolate, don’t power off: Disconnecting from network preserves evidence
• Don’t log into affected systems: You might trigger attacker alerts
• Preserve everything: Logs, screenshots, affected files
• Restrict physical access: Secure the affected areas

Hour 1-4: Coordination and Assessment

Hour 1-2: Breach Coach Engagement Your insurance-assigned breach coach (an attorney specializing in incidents) will:

• Establish attorney-client privilege for the investigation
• Engage forensic investigators from approved vendor list
• Advise on notification obligations
• Coordinate all communications

Everything goes through the breach coach. This is crucial for:

• Legal privilege protection
• Insurance coverage protection
• Regulatory compliance

Hour 2-4: Initial Forensic Assessment The forensic team will begin:

• Capturing system images for analysis
• Reviewing available logs
• Identifying the attack vector
• Assessing the scope of compromise

You’ll start getting preliminary answers:

• What type of attack is this?
• What systems are affected?
• Is the attacker still in the network?
• What data may be exposed?

Hour 4-8: Scoping and Decision-Making

Critical Decisions (with your breach coach):

1. Containment Strategy

   • Full network shutdown vs. surgical isolation
   • Business continuity considerations
   • Evidence preservation requirements

2. Communication Approach

   • Internal: Who needs to know, what to tell them
   • External: Customers, partners, regulators
   • Public: If/when to make statements

3. Ransom Considerations (if applicable)

   • This is NOT a simple yes/no decision
   • Legal implications (OFAC sanctions)
   • Practical considerations (will they actually decrypt?)
   • Insurance coverage implications

Hour 4-8 Checklist:

• Forensic team on-site or connected remotely
• Initial scope assessment completed
• Key stakeholders briefed (under privilege)
• Communication plan drafted
• Business continuity options identified
• Regulatory notification timeline determined

Hour 8-16: Investigation and Stabilization

Forensic Deep Dive: By now, forensics should have preliminary findings on:

• Entry point: How attackers got in
• Dwell time: How long they were in your network
• Lateral movement: What systems they accessed
• Data exfiltration: What data may have been stolen
• Persistence: Whether they can still access your systems

Business Continuity Decisions:

• Can you operate on backup systems?
• What manual workarounds are possible?
• How do you communicate with customers?
• What’s the timeline to restore operations?

Notification Planning: Your breach coach will help determine:

• Which state breach notification laws apply
• Regulatory notification requirements (HIPAA, GDPR, etc.)
• Customer notification timing and content
• Whether law enforcement should be contacted

Hour 16-24: Action and Recovery Planning

Key Activities:

1. Finalize Notification Strategy

   • Draft customer notification letters
   • Prepare FAQ documents
   • Set up call center if needed
   • Plan credit monitoring offerings

2. Begin Recovery

   • Rebuild clean systems
   • Restore from verified clean backups
   • Implement additional security controls
   • Plan phased return to operations

3. Document Everything

   • Timeline of events
   • Decisions made and rationale
   • Evidence preserved
   • Costs incurred

What NOT to Do (Critical Mistakes)

Mistake 1: Paying Ransom Before Calling Insurance

I’ve seen this destroy coverage. One company paid a $300K ransom within 4 hours of discovery—before even contacting their insurer. Claim denied. They violated the policy requirement to get pre-authorization.

Mistake 2: Destroying Evidence

In panic, an IT admin at one client wiped and rebuilt all affected servers. This:

• Destroyed forensic evidence
• Made it impossible to determine what was stolen
• Complicated the insurance claim
• May have violated legal hold obligations

Mistake 3: Public Statements Before Legal Review

A CEO tweeted “We’ve been hacked but customer data is safe” within hours of an incident. Forensics later revealed customer data WAS exposed. That tweet became exhibit A in a class action lawsuit.

Mistake 4: Using Compromised Communication Channels

Don’t discuss the incident over company email—it may be monitored by attackers. Use:

• Personal cell phones
• Out-of-band communication tools
• In-person conversations for sensitive decisions

Mistake 5: Not Calling Insurance First

Your policy likely requires “prompt notice.” Some define this as 24-72 hours. Even if not strictly required, calling first ensures:

• Privileged investigation structure
• Approved vendor coordination
• Coverage protection
• Expert guidance from minute one

The Insurance Coordination Flow

Here’s how the insurance process should work:

Discovery → Call Insurer → Breach Coach Assigned → Forensics Engaged
                ↓
         All coordination through breach coach
                ↓
    [Legal Protection] [Coverage Protection] [Expert Guidance]
                ↓
         Notification → Recovery → Claim Resolution

What Your Insurer Provides

Immediate (within hours):

• 24/7 breach hotline
• Breach coach assignment
• Forensic vendor coordination

Short-term (days 1-7):

• Forensic investigation funding
• Legal guidance and counsel
• Crisis communication support
• Notification letter templates
• Call center resources

Medium-term (weeks to months):

• Credit monitoring for affected individuals
• Regulatory response support
• Legal defense if lawsuits arise
• Business interruption payments

Building Your Response Capability NOW

Don’t wait for an incident. Prepare today:

Essential Pre-Work

1. Know Your Breach Hotline Number Find it now. Put it in your phone. Put it on a card in your wallet. Share it with key employees.

2. Identify Your Response Team

• Incident Commander: Usually CEO/President
• Technical Lead: CTO/IT Director
• Communications Lead: Marketing/PR head
• Legal Liaison: General counsel or outside counsel
• Finance Lead: CFO (for payment decisions)

3. Create Out-of-Band Communications Set up a communication method that doesn’t rely on your corporate infrastructure:

• Personal cell phone group
• Signal or WhatsApp group
• Secondary email accounts

4. Document Your Environment Maintain current documentation of:

• Network diagrams
• Asset inventory
• Data locations
• Backup procedures
• Vendor contacts

5. Review Your Policy Know before an incident:

• Notification requirements (how fast?)
• Pre-authorization requirements
• Approved vendor panels
• Coverage sublimits
• Deductible amounts

Tabletop Exercise

Run through this scenario with your team annually:

“It’s 7 AM Monday. Your IT admin calls: ‘All our files are encrypted. There’s a note demanding 50 Bitcoin.’ What do you do in the next 60 minutes?”

Document who does what. Identify gaps. Fix them.

Quick Reference Card

Print this and keep it accessible:

Related Resources

• Cyber Insurance Claims Process - Full claims walkthrough
• Data Breach Response Plan - Building your plan
• Incident Response Team Budget Guide - What it costs
• Cyber Insurance Claims Denied - Avoid these mistakes

The first 24 hours after a breach are chaotic, stressful, and consequential. Having a plan—and following it—can mean the difference between a manageable incident and a company-ending catastrophe. Prepare now, while you have time to think clearly.