What to Do in the First 24 Hours After a Data Breach: A Step-by-Step Guide
The moment you discover a data breach, the clock starts ticking. Decisions made in the first 24 hours determine whether the incident remains contained or spirals into a catastrophic business failure. This guide covers exactly what to do, hour by hour.
Last updated: April 2026
Hour 1: Immediate Containment
Your first instinct may be to shut down every server or start deleting suspicious files. Resist this urge. Traditional IT responses often conflict with forensic requirements. Deleting a compromised account or formatting a hard drive can destroy the only evidence that proves what the attacker actually touched.
Isolate, Do Not Delete
Instead of shutting down systems, isolate them from the network. If a specific workstation or server is compromised, disconnect its network cable or disable its Wi-Fi. This stops the lateral movement of the attacker without wiping the volatile memory (RAM) where active malware often resides.
Change Administrative Credentials
If you suspect a credential leak, immediately change the passwords for all administrative accounts, including domain admins, cloud console owners, and database administrators. Force a logout on all active sessions.
Secure Your Backups
Attackers frequently target backups first to ensure you have no choice but to pay a ransom. Verify that your backups are offline or air-gapped from the main network. If your backups are connected to the network, disconnect them immediately to prevent encryption.
Hours 2-4: Assemble Your Response Team
A data breach is not a standard IT ticket. Your internal IT team may be excellent at maintaining uptime, but they are rarely trained in digital forensics or the chain of custody required for legal defense.
Contact Your Insurance Provider
Most cyber insurance policies require notification before you hire an outside firm. Insurers typically have a panel of pre-approved incident response firms and legal counsel. Calling them early ensures your costs remain covered.
Engage a Forensic Specialist
You need an emergency incident response firm to perform a triage of the environment. These specialists look for indicators of compromise (IOCs) to determine how the attacker got in and whether they are still present.
Notify Legal Counsel
You need a breach coach — a lawyer specializing in data privacy — to oversee the investigation. This ensures that the work performed by forensic investigators remains under attorney-client privilege, which protects your business during potential future litigation.
Hours 5-8: Identify the Scope
Once the immediate bleeding is stopped, you must determine what was taken. Not all breaches are equal in the eyes of the law. Your regulatory exposure depends entirely on the type of data involved.
PII
Names, Social Security numbers, driver's licenses, birth dates. Every state has its own notification laws for PII theft.
PHI (HIPAA)
Protected health information triggers federal reporting to HHS within 60 days. Media notification required if 500+ individuals in a state are affected.
PCI
Credit card data triggers PCI-DSS requirements including notification to card brands and a mandatory forensic audit.
Hours 9-12: Evidence Preservation
During this phase, the forensic team will begin creating images of your servers and workstations. Think of this as taking a digital fingerprint of your entire environment.
Maintain the Chain of Custody
Every action taken on a compromised system must be logged: who accessed it, at what time, and what tools were used. If you end up in court or under a regulatory audit, you must prove that your evidence was not tampered with during the cleanup process.
Do Not Access Compromised Files
It is tempting to look through folders to see what the attacker accessed. Do not do this. Accessing a file changes its "last accessed" metadata, making it impossible for forensics to determine if the attacker actually opened that specific document.
Hours 13-18: Regulatory and Law Enforcement Notification
Depending on your industry and location, you may have a legal obligation to report the breach within a very short timeframe.
- File a report with the FBI's Internet Crime Complaint Center (IC3) — often required for insurance claims.
- Review state notification laws. California, New York, and Florida require notification within 30 days of reasonable belief a breach occurred.
- If HIPAA applies and 500+ individuals are affected, notify HHS and potentially the media.
- SEC-registered companies must disclose material cybersecurity incidents within four business days.
Hours 19-24: Customer Communication
How you tell your customers about the breach is just as important as how you fix it. Poorly timed or vague communications can destroy a decade of brand trust.
Customer Communication Template
"We are writing to inform you of a security incident involving our systems. We take the privacy of your information seriously and have engaged a leading cybersecurity firm to investigate the scope of the incident. We have also notified law enforcement. At this time, we recommend [Action Step, e.g., changing passwords]. We will provide further updates as our investigation progresses."
Prepare Your Help Desk
Your employees will get calls from concerned customers. Provide them with a script so they do not give out conflicting or inaccurate information. All external inquiries should be funneled through a single point of contact.
When to Hire an Incident Response Firm
Many business owners wonder if they can handle a breach internally. The answer is almost always no. You should hire a professional incident response firm if:
You suspect PII, PHI, or PCI data was accessed.
Your systems are encrypted by ransomware.
You need to meet insurance or regulatory reporting requirements.
You cannot identify the entry point of the attacker.
Your internal IT team is overwhelmed and needs to focus on business continuity.
You need forensic evidence that will hold up in court.
The cost of a professional response is significant, but the cost of an amateur response is often the business itself. Statistics show that 60% of small businesses close within six months of a major data breach. Professional intervention is what prevents your company from becoming part of that statistic.
Dealing With a Breach Right Now?
Our incident response team is available 24/7/365. We provide emergency triage, containment, forensics, and recovery — from the first call through full restoration.
Get Emergency Help Now