Learning Center Home > Data Security > How to Respond to a Data Breach

How to Respond to a Data Breach

Data Security

The following information is a part of our free cybersecurity and compliance Academy course.

Free Data Security Education

Sign Up for Academy

How to Respond to a Data Breach Overview

No organization wants to find themselves in the middle of a data breach, but how you prepare for that possibility can determine how much damage it ultimately causes. Well-prepared businesses can diminish bad press, reduce negative impacts, and lower potential fines.

In this section, we’ll help you understand why you need to think about data breaches before they happen and why you need to have a tested incident response plan in place.

We’ll discuss how you can prepare for a data breach, what needs to be included in your incident response plan, and what to do if you are breached.

A successful data security program is all about striking the right balance between breach prevention and breach management. Both are crucial; both need your attention. 

Use the tips from this section to better plan for a data breach at your organization.

Think You've Had a Data Breach?

Get Help

Consequences of a Data Breach

Unfortunately, nearly every organization will experience system attacks, with some of these attacks successfully breaching an organization’s security.

If breached, and data is compromised, you may be liable and face serious fines. Depending on possible legal fees and fines, federal and municipal fines, and increased processing fees, you may have to pay for the following:


  • Forensic investigation: $12,000 – $100,000
  • Free credit monitoring for affected individuals: $10 – $30/card or record
  • ID theft monitoring: $10 – $30/card or record
  • Security updates: $15,000+
  • Lawyer fees: $5,000+
  • Breach notification costs: $1,000+
  • Technology repairs: $2,000+

TOTAL POSSIBLE COST: $35,000 – $123,000+



  • Merchant processor compromise fine: $5,000 – $50,000
  • Card brand compromise fees: $5,000 – $500,000
  • Onsite QSA assessments following the breach: $20,000 – $100,000
  • Card re-issuance penalties: $3 – $10 per card

TOTAL ADDITIONAL COST: $30,000 – $650,000+


  • Civil penalties (from the OCR): Up to $1.5 million/violation/year
  • State attorney generals: $150,000 - $7 million
  • Business associate changes: $5,000+
  • Class action lawsuits: $1,000/record
  • Patient Loss: 40%

TOTAL ADDITIONAL COST: $172,000 – $1.7 million+


  • GDPR fines for serious violations (e.g., insufficient customer consent to process data, violation of the core “Privacy by Design” concepts): Up to €20 million or 4% of your Global Annual Turnover (aka revenue), whichever is greater

  • GDPR fines for less-serious violations (e.g., not having records in order, not notifying the supervising authority and data subject about a breach): Up to €10 million or 2% of your Global Annual Turnover, whichever is greater

TOTAL ADDITIONAL COST: Up to €20 million or 4% of your Global Annual Turnover, whichever is greater

A well-executed incident response plan can minimize breach impact, reduce fines, decrease negative press, and help you get back to business more quickly. In an ideal world and if you’re following security practices, you should already have an incident response plan prepared and employees trained to quickly deal with a data breach situation.

But if you don’t have a plan, employees will scramble to figure out what they’re supposed to do, and that’s when mistakes can occur. For example, if employees wipe a system without first creating images of the compromised systems, then you would be prevented from learning what happened, how much data was at risk, and what you can do to avoid reinfection.

No one wants to go through a data breach, but it’s essential to be prepared for one.



Think You've Had a Data Breach?

Get Help

Compliance Requirements for a Data Breach

Different compliance mandates may require different breach procedures, especially regarding how, when, and who needs to be notified about a data breach. For example:


For PCI-related breaches, you need  to alert all necessary parties immediately after discovering any suspected or confirmed unauthorized access, including payment card brands, merchant banks, and any other entities that might require notification by contract or law.

You’ll then likely need to provide payment card brands your PCI DSS compliance status with 48 hours (or less).

Within 72 hours, your organization must perform an initial forensic investigation and send your findings to payment card brands.

They will then likely require you to perform an independent forensic investigation, completed by a Payment Card Industry Forensic Investigator or PFI–who isn’t the same company you use for other PCI services. Then the PFI will make recommendations on how you should prioritize containment and secure cardholder data.


For HIPAA-related breaches, the Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured patient data.

Covered entities are just as liable if their business associate is found to be in breach of HIPAA requirements.

If you’re a covered entity, your statements must be sent to affected patients by first-class mail (or email if the affected individuals agreed to receive notices) as soon as reasonably possible. This must be no later than 60 days after breach discovery.

If 10 or more individuals’ information is out-of-date or insufficient or the breach affects more than 500 residents of a state or jurisdiction, post the statement on your website for at least 90 days and provide notice in major print or broadcast media in affected areas.

Covered entities also need to notify the Secretary of the HHS about the breach. If a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis. But if a breach affects 500 or more individuals, covered entities must notify the Secretary of the HHS within 60 days following a breach (if not immediately).

If you’re a business associate, notify affected covered entities after discovering a data breach immediately (and no later than 60 days after discovering the data breach). Identify each individual affected by the breach and send this information to all affected covered entities.


For GDPR-related breaches, a PII data breach is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Supervisory authorities must be told within 72 hours of when the controller becomes aware of a data breach where feasible, unless the controller can demonstrate that the breach is unlikely to result in risk to the rights of the data subject. If applicable, controllers may give reasons for delaying notification. But if individuals face an adverse impact, contact individuals directly.

Failure to report a breach when required to do so could result in a fine, in addition to the fine for the breach itself.


Download the latest guide to PCI compliance

Download Now

Incident Response Phases

An incident response plan should be set up to address a suspected data breach in a series of phases with specific needs to be addressed. The incident response phases are:

  1. Prepare

  2. Identify

  3. Contain

  4. Eradicate

  5. Recover

  6. Review




Preparation often takes the most effort in your incident response planning, but it’s by far the most crucial phase to protect your organization. This phase includes the following steps:

  • Ensure your employees receive proper training regarding their incident response roles and responsibilities

  • Develop and regularly conduct tabletop exercises (i.e., incident response drill scenarios) to evaluate your incident response plan

  • Ensure that all aspects of your incident response plan (e.g., training, hardware and software resources) are approved and funded in advance


Identification (or detection) is the process where you determine whether you’ve actually been breached by looking for deviations from normal operations and activities.

An organization normally learns they’ve been breached in one of four ways:

  • The breach is discovered internally (e.g., review of intrusion detection system logs, alerting systems, system anomalies, or anti-virus scan malware alerts)

  • Your bank informs you of a possible breach based on reports of customer credit card fraud

  • Law enforcement discovers the breach while investigating the sale of stolen card information

  • A customer complains to you because your organization was the last place they used their card before it began racking up fraudulent charges.

It’s important to discover a data breach quickly, identify where it’s coming from, and pinpoint what it has affected.


When an organization becomes aware of a possible breach, it’s understandable to want to fix it immediately. However, without taking the proper steps and involving the right people, you can inadvertently destroy valuable forensic data. Forensic investigators use this data to determine how and when the breach occurred, how much data was accessed, and to help devise a plan to prevent similar future attacks.

When you discover a breach, remember:

  • Don’t panic

  • Don’t make hasty decisions

  • Don’t wipe and reinstall your systems (yet)

Steps to consider during Containment and Documentation: 

  • Stop the leakage of sensitive data as soon as possible

  • Unplug affected systems from the network, rebuild clean new systems and keep old systems offline. This is the best option if it’s possible, it allows a forensic investigator to evaluate untouched systems. This is easier to do in virtual server environments but can be costly otherwise.

  • If system replacement is not possible, the next main task would be documentation. This means you need to preserve as much information as possible for forensic analysis. If you know how to take a complete image of your system do so. If you know where the virus files are, copy that directory to a backup. Resort to screenshots or phone videos of behaviors as a last resort before taking action to change the systems.

  • Call in a professional forensic investigator to help learn about the breach. In some industries, this may be a required step–for example, when credit card data is stolen–but it’s always recommended to get forensic analysts involved, so you can develop better future processes.


After containing the incident, you need to find and eliminate policies, procedures, or technology that led to the breach. This means all malware should be securely removed, systems should again be hardened and patched, and updates should be applied.

Whether you or a third party do this, you need to be thorough. If any trace of malware or security issues remain in your systems, you may still be losing sensitive data, increasing your liability.

Your incident response plan needs to be put in motion immediately after learning about a suspected data breach.


Recovering from a data breach is the process of restoring and returning affected systems and devices back into your business environment. During this time, it’s important to get your systems and business operations up and running again.

Remember, that before you consider reintroducing the previously compromised systems back into your production environment, you need to ensure that all systems have been hardened, patched, replaced, and tested.


After the forensic investigation, meet with all incident response team members and discuss what you’ve learned from the data breach, reviewing breach events in preparation for the next attack.

This phase is where you will analyze everything about the breach. Determine what worked well and what didn’t in your response plan. Then revise your incident response plan.


Do You Need a Penetration Test?

Find out Here

What to Include in an Incident Response Plan

Creating an incident response plan can seem overwhelming. To simplify the process, develop your incident response plan in smaller, more manageable procedures.

While every organization will need varying policies, training, and documents, there are a few itemized response lists that most organizations need to include in their incident response plans, such as:

  • Emergency contact/communications list

  • System backup and recovery processes list

  • Forensic analysis list

  • Jump bag list

  • Security policy review list


Proper communication is critical to successfully managing a data breach, which is why you need to document a thorough emergency contact/communications list. This list should contain information about: who to contact, how to reach these contacts, the appropriate timelines to reach out, and what they should say to external parties.

Your public response to the data breach will be judged heavily, so review your statements thoroughly.


Your system backup and recovery processes list will help you deal with the technical aspects of a data breach. This list helps you preserve any compromised data, quickly handle a data breach, and preserve your systems through backups. By creating and implementing this list, your organization can lessen further data loss and help you return to normal operations as quickly as possible.


A forensics analysis list is for organizations that use in-house forensic investigations resources. Your forensic team will need to know where to look for irregular behavior and have access to system security and event logs. If your organization doesn’t have access to an experienced computer forensic examiner in-house, you will want to consider vetting a forensics firm in advance with pre-completed agreements. This helps ensure you get an experienced investigator when you need it.


Your jump bag list is for grab-and-go responses (i.e., when you need to respond to a breach quickly). This list should include overall responses and actions employees need to take immediately after a breach. Your list will keep your plan organized and prevent mistakes caused by panic.


Your security policy review list deals with your response to a breach and its aftermath. This list helps you analyze the breach, so you can learn what to change. You should look at where your security controls failed, and how to improve them. The purpose of this list is to document the entire incident, what was done, what worked, what didn’t, and what was learned.


Test your Incident Response Plan

An incident response plan is only useful if it is properly established and followed by employees.

To help staff, regularly test their reactions through real-life simulations or what’s known as tabletop exercises. Tabletop exercises allow employees to learn about and practice their incident response roles when nothing is at stake, which can help you discover gaps in your incident response plan such as, communication issues.



In a discussion-based table exercise, you and your staff discuss response roles in hypothetical situations. A discussion-based tabletop exercise is a great starting point because it doesn’t require extensive preparation or resources, while still testing your team’s response to real-life scenarios without risk to your organization.

However, this exercise can’t fully test your incident response plan or your team’s response roles.


In a simulation exercise, your team tests their incident responses through a live walkthrough test that has been highly choreographed and planned. This exercise allows participants to experience how events actually happen, helping your team better understand their roles.

However, simulation exercises require a lot of time to plan and coordinate, while still not fully testing your team’s capabilities.


In parallel testing, your incident response team actually tests their incident response roles in a test environment. Parallel testing is the most realistic simulation possible and provides your team with the best feedback about their roles.

However, parallel testing is more expensive and requires more time planning than other exercises because you need to simulate an actual production environment.


Think You've Had a Data Breach?

Get Help

How to Respond to a Data Breach Quiz

Question 1:

Should your organization have an incident response plan set up to address a suspected data breach? (Choose only ONE best answer.)

  1. Yes

  2. No

Question 2: 

How often should you review your incident response plan? (Choose only ONE best answer.)

  1. Never

  2. Every other year

  3. Regularly (e.g., at least annually)

Question 3:

A well-executed incident response plan can: (Choose only ONE best answer.)

  1. Minimize breach impact

  2. Reduce fines

  3. Decrease negative press

  4. Help you get back to business more quickly

  5. All of the above

Question 4:

TRUE OR FALSE: An incident response plan is only useful if it is properly established and followed by employees.  (Choose only ONE best answer.)

  1. True

  2. False

Answer Code: Q1: 1, Q2: 3, Q3: 5, Q4: 2

Free Data Security Education

Sign Up for Academy