Corporate Breach Response Checklist: The First 72 Hours

Most organisations discover they don’t have a breach response plan at the moment they need one. The decisions made in the first 72 hours after a data breach determine regulatory exposure, legal liability, and reputational damage. GDPR gives you 72 hours to notify your supervisory authority. US state laws vary — some require notification within 30 days, others demand it “as expeditiously as possible.” Either way, the clock starts before you’re ready.

This checklist is built for the DPO, CISO, or board member who needs a structured framework before an incident occurs. Print it. Store it offline. The worst time to design a process is during a crisis.

We have also published printable, interactive checklists you can use as working documents during an actual incident: EU/GDPR Breach Response Checklist and US Breach Response Checklist. Print them empty for your incident response binder, or work through them on screen and print your progress.

Why the First Hours Matter More Than the Technical Fix

The 2026 Unit 42 Global Incident Response Report found that identity-based attacks — exploiting legitimate credentials rather than breaking through perimeters — were involved in 90% of investigated breaches. Attackers quadrupled their exfiltration speed compared to 2024. The PwC Annual Threat Dynamics 2026 report confirms that social engineering has now surpassed ransomware as the leading corporate cyber threat, with AI enabling phishing content that is grammatically flawless and contextually targeted to specific business processes.

The implication is the same on both sides of the Atlantic: by the time you detect a breach, data has likely already left the building. The priority shifts from “stop the attack” to “understand the exposure, preserve evidence, and meet your legal obligations.”

Phase 1: Hour 0–4 — Containment and Triage

The first four hours are about activation, not resolution.

Activate your Crisis Management Team. This is not an IT-only event. Your CMT should include legal counsel, HR, communications, and a designated privacy lead. If legal is not in the room from the start, you lose the ability to claim privilege over internal communications.

Establish out-of-band communications. Assume corporate email and internal chat may be compromised or monitored. Move sensitive discussions to a pre-agreed secure channel — Signal, ProtonMail, or an equivalent. Decide this before you need it.

Verify the incident is real. Before escalating, confirm you are dealing with an actual breach and not a false alarm or social engineering designed to trigger a panicked response. Use a severity tiering system: Severity 1 is confirmed sensitive data compromise with active threat activity. Severity 4 is a false positive. This prevents overreaction that creates its own damage.

Preserve evidence. Do not wipe, reimage, or “clean up” affected systems. Forensic evidence is destroyed by well-intentioned IT staff more often than by attackers. Isolate affected systems from the network, but keep them powered on and intact.

Pause scheduled communications. Halt all pre-scheduled social media posts and marketing emails. An automated post about your company’s “commitment to security” landing in the middle of a breach disclosure is a reputational accelerant.

Notify your insurer. D&O and cyber insurance contacts should be engaged within the first hours. Late notification can void coverage under both EU and US policies.

EU-based organisations should:

• Identify your lead supervisory authority under the GDPR one-stop-shop mechanism. If you process data across multiple member states, this determines where you file.
• Confirm who your Data Protection Officer is and ensure they are reachable. GDPR Article 33(3)(b) requires their name and contact details in the notification.
• Begin documenting immediately. Article 33(5) requires you to document all breaches — facts, effects, remedial actions — regardless of whether you ultimately notify.

US-based organisations should:

• Determine which state notification laws apply. There is no single federal breach notification law — each of the 50 states has its own statute with different timelines, definitions, and requirements. The breach triggers notification based on where affected individuals reside, not where your company is headquartered.
• If you are a publicly traded company, assess whether the breach is “material” under SEC rules. Item 1.05 of Form 8-K requires disclosure of material cybersecurity incidents within four business days of determining materiality.
• Engage external legal counsel immediately. Attorney-client privilege over forensic investigation findings is established at this stage — not retroactively.
• Check whether your state requires notification to the State Attorney General. Most do, and several require AG notification before or simultaneously with individual notification.

Phase 2: Hour 4–24 — Scope and Assessment

Once containment is underway, the priority is understanding what happened and what data is affected.

Determine scope. What categories of personal data are involved? How many individuals? Which jurisdictions? Is the breach ongoing or contained? You need these answers before you can file any notification — and the jurisdictional question determines which rules apply.

Invalidate sessions, not just passwords. Modern attackers pivot post-login by stealing session tokens or abusing OAuth grants to bypass MFA. Password resets alone are insufficient. Globally revoke all session tokens for affected accounts, particularly executive and administrative accounts.

Draft your internal briefing. Employees and board members should hear from the organisation before the media. An internal “what we know” memo prevents rumours, aligns messaging, and reduces the risk of staff inadvertently disclosing information to journalists or on social media.

EU-based organisations should:

• Assess the risk to individuals. Article 33(1) contains an important qualifier: notification is required “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” This is not a loophole — it is a documented risk assessment you must be able to justify to your supervisory authority. The EDPB Guidelines on Personal Data Breach Notification provide the framework.
• Determine whether Article 34 applies. If the breach poses a “high risk” to individuals, you must notify them directly — in addition to the DPA. Encryption or other measures that render the data unintelligible before the breach can exempt you from this obligation, but only if they were in place before the incident.
• Begin preparing the four mandatory notification elements under Article 33(3): nature of the breach, DPO contact details, likely consequences, and measures taken or proposed.

US-based organisations should:

• Map affected individuals by state of residence. Different states define “personal information” differently. Some include biometric data or login credentials; others are limited to Social Security numbers and financial account data. Your notification obligations depend on what data was exposed and where the affected people live.
• Check for sector-specific obligations. HIPAA (healthcare), GLBA (financial services), and FERPA (education) each impose their own breach notification requirements that may run in parallel with state laws. These often have shorter timelines and stricter definitions.
• Assess whether the FTC Act applies. The FTC’s Data Breach Response Guide recommends that companies “move quickly to secure your systems and fix vulnerabilities that may have caused the breach.” The FTC has brought enforcement actions under Section 5 for inadequate breach response, even absent a specific breach notification law.

Phase 3: Hour 24–48 — Notification Preparation

EU-based organisations should:

• Finalise your DPA notification. Under Article 33(3), it must include: the nature of the breach (categories and approximate number of data subjects and records), DPO contact details, likely consequences, and measures taken or proposed. Article 33(4) allows phased disclosure — a timely partial notification is better than a late complete one.
• Prepare Article 34 individual notifications if high risk is established. Communicate in clear, plain language. Describe what happened, what data was affected, and what individuals should do.
• Assess cross-border filing. The Dutch Autoriteit Persoonsgegevens (AP) operates a dedicated breach notification portal for Netherlands-based controllers. Other member state DPAs have similar online filing systems.

US-based organisations should:

• Draft individual notification letters. Most states require written notice to affected individuals containing: a description of the incident, the types of information involved, steps taken in response, contact information for the company, and contact information for the relevant credit reporting agencies.
• Prepare State Attorney General notifications. At least 35 states require AG notification, often with a lower threshold than individual notice. Some states (e.g., California) require AG notification when more than 500 residents are affected. Others require it for any breach.
• Determine whether credit monitoring must be offered. Several states now mandate free credit monitoring for affected individuals, particularly when Social Security numbers or financial data are involved. Duration requirements vary — typically 12 to 24 months.
• If publicly traded, prepare your SEC Form 8-K filing for material incidents. The four-business-day clock runs from the date you determine the incident is material, not from the date of the breach itself.

Phase 4: Hour 48–72 — Execute Notifications

EU-based organisations should:

• File with your supervisory authority. If notification is not made within 72 hours, Article 33(1) requires that it “shall be accompanied by reasons for the delay.” The clock started when you became aware — not when the investigation concluded.
• Execute individual notifications where required under Article 34. Avoid corporate hedging — people who have been exposed deserve directness.
• Where the processor, not the controller, discovered the breach: the processor must notify the controller “without undue delay” under Article 33(2). The 72-hour clock for the controller begins upon being informed by the processor.

US-based organisations should:

• File state notifications according to each state’s timeline. The most aggressive deadlines include: Florida (30 days), Colorado (30 days), and Washington (30 days). Several states use “without unreasonable delay” or “as expeditiously as possible,” which courts have generally interpreted as 30 to 60 days.
• Send individual notification letters. Most states accept first-class mail. Some permit email notification if the individual previously consented to electronic communication.
• File any required federal notifications. SEC 8-K for public companies. HHS for HIPAA-covered entities (within 60 days, or 60 days from end of calendar year for breaches affecting fewer than 500 individuals).
• Prepare for state AG follow-up. Attorneys General — particularly in California, New York, and Massachusetts — actively investigate breaches after notification. Expect questions about your security posture before the breach, not just your response.

The Mistakes That Turn Breaches Into Crises

These apply regardless of jurisdiction.

Treating it as an IT problem. A data breach is a legal, communications, and operational event. Organisations that delegate response entirely to the IT department consistently underperform in regulatory outcomes and public trust recovery.

Destroying evidence. Reimaging servers, deleting logs, or “cleaning up” before forensic preservation is the single most common mistake. It handicaps your own investigation and raises questions with regulators on both sides of the Atlantic.

Delaying legal involvement. Every internal communication about the breach is potentially discoverable. Without legal counsel establishing privilege from the start, your incident response notes become exhibit material.

Underestimating scope. Initial assessments almost always undercount affected records. Both the EDPB and the FTC expect organisations to update their notification as new information emerges. Plan for scope to expand.

Issuing PR before legal review. Public statements that contradict your regulatory filing create liability. Legal reviews the holding statement before communications releases it.

The Exposure You Don’t See

Most breach response plans focus on what happens after an incident. They rarely address what attackers already knew before they got in.

Corporate credential leaks, executive personal data on broker sites, org chart exposure, staff email patterns — this is the reconnaissance layer that makes targeted attacks possible. The 2026 WEF Global Cybersecurity Outlook found that 94% of security leaders identify AI-driven reconnaissance as the most significant change in the threat landscape.

An attacker who already has your CFO’s home address from a data broker, their breached credentials from a 2019 dump, and their travel schedule from LinkedIn metadata doesn’t need a sophisticated exploit. They need a convincing pretext. This applies whether the target sits in Amsterdam or Atlanta.

A Corporate Audit maps this exposure surface before an incident — credential leaks, people-search profiles, dark web references, and staff digital footprints that could be exploited in a social engineering campaign. The organisations that fare best in breach response are the ones that understood their attack surface before the breach occurred.