What to do after a data breach

Insureon staff
A data breach response plan can save you time, money, and stress following a cyber incident. Here’s what to do after a data breach to get back to business as usual.
Business people planning a data breach response.

Many business owners assume they're safe from cyberattacks because their business is small. But small businesses are actually a big target for cyber criminals.

Verizon's Data Breach Investigation Report found that small businesses made up 46% of all data breaches last year – and that number keeps growing.

If you handle customer data, you're at risk of a data breach that could harm your reputation and cost you a lot of money. Plus, if personal information – like Social Security numbers, credit card numbers, and other personal data – is compromised at your business, you'll have to notify everyone that was affected by the breach.

Your business needs a data breach response plan that outlines exactly how you'll respond if you're the victim of a breach, ransomware attack, or other cyber incident.

Making sure your plan is comprehensive can help keep your business running, minimize costs, and get your back to business as usual.

What is a data breach response plan?

A data breach response plan is a step-by-step guide that your business can follow after uncovering a data breach.

The moments after you learn that your business suffered a data breach will be stressful and chaotic. In that chaos, you may not remember what to do, who to notify, and how to comply with the law.

A data breach response plan tells you exactly what to do so you don't have to guess. It will be your lifeline in a stressful situation, so take your time and make sure you cover every detail when you build your plan.

What should your data breach response plan include?

Your data breach response plan should:

  • Define what constitutes a data breach
  • Identify your data breach response team
  • Outline the steps that you need to follow

And your next steps should cover:

  • Communication: Who is responsible for making sure the plan is being followed?
  • Investigation: How will you find the cause of the breach?
  • Containment: What will you do to minimize damage?
  • Correction: What do you need to do to make sure it doesn't happen again?
  • Notification: Who needs to know about the breach and how will you tell them?

If you don't yet have a formal cyber incident response plan, don't worry. These steps will guide you through the process of responding and recovering from a security breach.

What do you need to do after a data breach?

Once you discover a data breach or other cyber incident, you need to act fast. The longer a breach continues, the more costly it will likely be.

Some of the most common cybersecurity threats will be obvious immediately. Ransomware and distributed denial-of-service (DDoS) attacks, for example, will lock you out of your systems, while other attacks are meant to stealthily gain access to your servers or personal information databases.

To help cut down on the damage, you can follow these steps:

1. Notify your data breach incident response team

If you suspect a data breach, you need to notify your data response team. No matter the type of breach, this should be the first action item in your data breach response plan.

If you run a smaller company, you may not have the resources or expertise to put together a team to handle cyber incidents. Even then, you should designate someone that you trust to lead your response. Your best choice will be a team member who is familiar with data security.

If you do have the resources, ideally your team should include representatives from your company's critical operational areas, including:

  • Information technology
  • Legal
  • Human resources

The team's job is to follow your data breach response plan and make sure that their respective departments are doing everything they need to do to stop the breach, comply with the law, and keep the business operating.

The data breach response plan should include each member of this team and designate a leader to make sure everyone is following the plan.

2. Isolate the affected systems or machines

In some cases, you might discover the cyberattack while it's happening. If you know where the attack or breach started, you should isolate that machine, server, or system to make sure you don't compromise even more sensitive data.

Finding an attack this early and isolating it is the best way to minimize its impact and contain the threat.

3. Notify your cyber insurance company

Recovering from a data breach will be expensive. Kaspersky found that a data breach or cyberattack costs a small business $101,000 on average in 2020.

A bill that high could put your business in a tough financial situation, but your cyber insurance policy, also called data breach insurance, can help pay for many of your expenses. That includes the costs of:

  • Notifying those impacted by the breach
  • A forensic investigation
  • Fixing cybersecurity flaws
  • Business interruptions
  • Customer credit and fraud monitoring services
  • Crisis management and public relations
  • Cyber extortion or ransomware demands

Your insurance company is there to help your business recover from a data breach. You should file a claim as soon as possible to cut down on how long you'll have to foot the bills yourself while they process your claim.

In the case of a ransomware attack or cyber extortion, your insurer may also provide you with an expert to help with negotiations.

Compare business insurance quotes from top providers
Small business owner looking for insurance quotes on their tablet.

4. Review your state's data breach requirements

Every state has different data breach notification laws. Your data breach response plan should outline your state's rules for responding to a data breach, including who you should notify and how quickly.

Still, you should have your legal counsel review the state laws before you do anything to make sure your plan still matches the most up-to-date rules. If you don't comply with state laws, you could be hit with penalties, fines, and even more damage to your reputation.

Your state will likely require you to notify all affected individuals, including:

  • Law enforcement
  • Regulatory boards
  • Your customers
  • Your vendors
  • Business partners
  • Consumer protection agencies

For healthcare professionals like doctors, physical therapists, and home healthcare providers, a data breach could also be a violation of HIPAA, the federal law that protects the security of medical and health information. If your profession is bound by HIPAA or another specific data protection law, you should include compliance instructions in your data breach response plan to avoid facing large penalties.

5. Investigate the breach and correct any flaws

You'll want to know as quickly as possible what sensitive data has been lost or compromised, how it happened, and if you can do anything to prevent further damage.

However, data breaches are often complicated and technical. Handling the investigation may be outside of your expertise. You could turn the investigation over to one of your employees if you have a cybersecurity expert on staff, but you may want to hire outside help.

Hiring an expert like a network security consultant or cybersecurity forensics team can give you a new, unbiased perspective into how the breach happened and the security flaw that made it possible.

You should document every step you take during the investigation and any evidence you find. Law enforcement may need it for their own investigation, or you may have to show it to prove to your state that you conducted an investigation yourself.

6. Notify parties as required by law

Your state's laws will require you to notify your customers, vendors, and other affected parties about the breach. The law may require you to tell them within a certain period of time and in a certain manner – either by phone, email, or mail. Be sure to review the state's requirements to make sure you're compliant.

You should set up a dedicated phone line and email address where people affected by the breach can contact you with questions. You or one of your employees should monitor these lines of communication to make sure you're responding to people quickly.

Finally, you should announce the data breach on your website so people know that it's happened, you're aware of it, and are taking steps to fix it. Include your company's contact information so people can reach out with any questions.

7. Set up fraud and credit card monitoring

State law or industry regulators will likely require you to set up fraud, credit card, and identity theft monitoring for your customers. Your data breach response plan should include which company you'll use, how to set it up, and how to offer it to your customers. Your cyber insurance should help cover these costs.

8. Repair your reputation

A data breach or cybersecurity incident can do long-term damage to your reputation. In fact, nearly one-third of consumers said they would stop using a business if their accounts have been compromised.

A cyber incident could cost you customers and cash for a long time after it's resolved. To help minimize the fallout, you might consider hiring a public relations firm or crisis manager to help you weather any bad publicity and restore your good name.

9. Conduct a cybersecurity post mortem

Once you've stopped the breach, fixed the problems that led to it, and taken care of everyone who was affected, you should review your response.

Meet with your data breach response team to discuss what went well and what could have gone better.

Take this time to do a full IT security audit to make sure you've identified both the direct causes of this breach and any weak points that could lead to another one. Use what you talk about to adjust your response plan in case you face another cyberattack in the future.

A data breach is a trying experience for any company, but it doesn't have to completely disrupt your business. If you put together a thorough data breach response plan and make sure you have the right insurance policies, you'll be much more likely to recover from a data breach and return to business as usual.


Complete Insureon’s easy online application to compare quotes for business insurance from top-rated U.S. carriers. Once you find the right  policy for your small business, you can begin coverage in less than 24 hours.

Get business insurance quotes from trusted carriers

What kind of work do you do?