Data Breach Response Checklist
Generate a data breach response plan and notification checklist
IMMEDIATE (0-24 hours):
1. Contain the breach - isolate affected systems
2. Preserve evidence - do not delete logs or affected data
3. Assemble incident response team
4. Document timeline of events
5. Assess scope and nature of compromised data
SHORT-TERM (24-72 hours):
6. Notify legal counsel
7. Determine notification obligations
8. GDPR: Notify supervisory authority within 72 hours
9. Check state-specific breach notification laws
10. Prepare notification to affected individuals
11. Engage forensic investigators if needed
MEDIUM-TERM (1-4 weeks):
12. Send breach notifications to affected individuals
13. Offer credit monitoring if financial/identity data exposed
14. Issue public statement if required
15. Implement immediate security improvements
LONG-TERM:
16. Conduct full post-incident review
17. Update security policies and procedures
18. Provide additional staff training
19. Document lessons learnedAbout This Tool
Generate an incident-response checklist tailored to your situation. Pick the type of breach (credential stuffing, ransomware, exposed S3 bucket, insider, third-party vendor), how long ago you discovered it, and what data classes were affected. The output is a phase-by-phase task list: contain, assess, notify, remediate, document.
The checklist references the regulatory clocks you should know about — GDPR's 72-hour notification window for EU residents, HIPAA's 60-day window for covered entities, state-by-state rules in the US ranging from 30 to 90 days. Hitting these windows requires that legal and comms be looped in early, not after technical work finishes.
This is not a substitute for actual incident-response counsel. Most companies that handle a breach poorly do so because the playbook lived in someone's head. Print this, hand it to your incident commander, then call your lawyer.
The phases the generator walks through: contain (revoke credentials, isolate affected systems, preserve forensics evidence, reset secrets and rotate keys), assess (scope of data accessed, attacker dwell time, persistence mechanisms, lateral movement), notify (regulators within mandated windows, affected users when required, payment networks for cardholder data, business partners under contractual obligations), remediate (patch the underlying vulnerability, harden the affected systems, deploy compensating controls), and document (timeline of events, decisions made, evidence preserved, lessons learned).
Worked example: a customer's credentials are leaked from a third-party service and used to log into your app. Affected: the user's name, email, and order history visible in their account. Generator output: contain by force-resetting the user's password and any active sessions; rate-limit logins from suspicious IPs; check for similar pattern across other accounts. Assess by checking access logs to determine what specifically was viewed/exported and over what window. Notify the user (depending on jurisdiction and data class). Document the incident, include the third-party source, and add credential-stuffing specific defenses (CAPTCHA, MFA, IP reputation) to roadmap. Skip the GDPR notification clock if no EU residents affected and the data class doesn't trigger it.
Where the checklist isn't enough: every breach is unique. Ransomware adds backup-validity questions (do your backups predate the encryption?), payment-decision posture (you don't pay, except sometimes you do, and that decision needs lawyers and possibly law enforcement). Insider threats add HR and legal entanglements. Cloud misconfigurations require rebuilding trust in your IaC pipeline. Use the checklist as the floor, not the ceiling. The first 24 hours decide whether the response is competent or chaotic — practice tabletop exercises before you need them in production. Companies with incident-response retainers and existing legal relationships move faster than companies trying to find a forensics firm at 3am during an active breach.
The about text and FAQ on this page were drafted with AI assistance and reviewed by a member of the Coherence Daddy team before publishing. See our Content Policy for editorial standards.