US Data Breach Response Checklist (72-Hour)

Phase 1 Hour 0–4: Containment & Triage

Activate Crisis Management Team (CMT) — legal counsel, HR, communications, privacy lead. Not IT alone.

Establish out-of-band communications — move sensitive discussions to Signal, ProtonMail, or equivalent. Assume corporate channels may be compromised.

Verify the incident is real — confirm before escalating. Use severity tiering (Sev 1–4). Rule out false alarms.

Preserve evidence — do NOT wipe, reimage, or “clean up” systems. Isolate from network but keep powered on.

Pause scheduled communications — halt all pre-scheduled social media posts and marketing emails immediately.

Notify insurer — D&O and cyber insurance contacts within first hours. Late notification can void coverage.

Engage external legal counsel — attorney-client privilege over forensic investigation findings is established at this stage, not retroactively.

Determine applicable state laws — all 50 states have breach notification statutes. Notification is triggered by where affected individuals reside, not where your company is headquartered.

Assess SEC materiality (public companies) — Item 1.05 of Form 8-K requires disclosure of material cybersecurity incidents within 4 business days of determining materiality.

Check State AG notification requirements — most states require AG notification before or simultaneously with individual notification.

Phase 2 Hour 4–24: Scope & Assessment

Determine data categories affected — SSNs, financial account data, biometric data, login credentials, health information? Different states define “personal information” differently.

Map affected individuals by state of residence — notification obligations depend on what data was exposed and where the affected people live.

Estimate number of affected individuals — some states have different thresholds (e.g., California AG notification when 500+ residents affected).

Assess ongoing vs contained — is the breach still active? Is exfiltration continuing?

Invalidate sessions globally — revoke all session tokens and OAuth grants for affected accounts. Password resets alone are insufficient.

Check sector-specific obligations — HIPAA (healthcare, 60-day notification to HHS), GLBA (financial services), FERPA (education). These run in parallel with state laws.

Assess FTC Act exposure — FTC has brought enforcement actions under Section 5 for inadequate breach response, even absent a specific breach notification law.

Evaluate encryption status — some states provide safe harbours for encrypted data. Document whether affected data was encrypted at rest and in transit.

Draft internal “what we know” memo — brief board and staff before media learns. Prevents rumours and aligns messaging.

Phase 3 Hour 24–48: Notification Preparation

Draft individual notification letters — most states require: description of incident, types of information involved, steps taken, company contact, and credit reporting agency contacts.

Prepare State Attorney General notifications — at least 35 states require AG notification. Compile list of required filings by state.

Determine credit monitoring obligation — several states mandate free credit monitoring (typically 12–24 months) when SSNs or financial data are involved.

Prepare SEC Form 8-K (public companies) — 4-business-day clock from materiality determination, not from breach date.

Prepare HIPAA notification (if applicable) — HHS notification within 60 days for breaches affecting 500+ individuals. Breaches under 500: annual log submission.

Identify third-party data recipients — Rhode Island and Delaware require proactive disclosure of specific third parties that received breached data.

Prepare holding statement — 100-word public statement: acknowledge event, express concern, designate single contact point. Legal reviews before release.

Phase 4 Execute Notifications (per state timeline)

File state notifications per timeline — most aggressive: Florida, Colorado, Washington (30 days). Others: “without unreasonable delay” (generally interpreted as 30–60 days).

Send individual notification letters — most states accept first-class mail. Some permit email if individual previously consented to electronic communication.

File federal notifications — SEC 8-K (public companies), HHS (HIPAA entities), other sector-specific regulators as applicable.

Activate credit monitoring for affected individuals — if required by applicable state laws. Distribute enrolment instructions with notification letters.

Issue holding statement if media aware — coordinate with legal. Public statements must not contradict regulatory filings.

Document all notification actions — record exact submission dates, confirmation numbers, delivery methods, and state-by-state filing status.

Phase 5 Post-Notification: Remediation & Review

Prepare for State AG follow-up — California, New York, and Massachusetts AGs actively investigate after notification. Expect questions about pre-breach security posture.

Update notifications as scope evolves — the FTC and state regulators expect organisations to provide updated information as new details emerge.

Incident Notes

US Breach Response Checklist

Key Legal References

US Breach Response Checklist

First 4 Hours: Containment and Triage

Hours 4–24: Scope and Assessment

Hours 24–48: State and Federal Notification Preparation

Execute Notifications

Post-Notification: Remediation and Review

Key Legal References

Key Legal References