Spectral now part of Check Point’s CloudGuard to provide the industry’s most comprehensive security platform from code to cloud Read now

6 Steps to Developing a Data Breach Response Plan

By Eyal Katz January 10, 2021

Experiencing a data breach is never pleasant. Just ask any of the hundreds of businesses that suffered a data breach in the past year, exposing billions of records. Data breaches are nothing new. As the old idiom goes: knowledge is power. For cybercriminals looking to profit from selling privileged-access data, this makes for an increasingly lucrative opportunity.

It’s no longer a question of whether you suffer a data breach or not. Rather, the question is when. This, in turn, raises the question of how you respond and contain the breach. Having a plan in place for the moment a breach occurs can make the difference between a manageable glitch and a crushing blow to a business.

Know the Odds: The Cost of a Data Breach in 2017 | Cybint

Preparing for the unexpected can sound quite daunting. So before we can develop a data breach response plan, it’s important to first understand what a data breach is (and what it isn’t).

What is a data breach, anyway?

By definition, data breaches are security or privacy events that may require (by law) notification to affected individuals, regulatory agencies, credit reporting agencies, and/or the media. This makes data breaches slightly different from other security and cybersecurity unpleasantries.

What is the difference between a security event, a security incident, and a data breach?

Not every security breach or event involves loss or exposure of sensitive records or theft of intellectual property. According to a Verizon report out of 32,002 analyzed security incidents, fewer than 4,000 resulted in a data breach. 

Generally speaking, a data breach is a security or privacy event that meets specific legal definitions as defined by the local legal authority and requires affected parties notified and possibly remedied. Understanding the distinction is important to ensure the optimal response is implemented and to prevent Breach Fatigue.

What is a data breach response plan?

A data breach response plan is a document detailing the immediate action and information required to manage a data breach event. It is your plan for the unpredictable.

Data Breach Tutorial And Top 5 Data Breach Service Providers

Though each plan is different and unique to each business, all data breach plans contain the following:

  • A designated breach response leader or service.
  • A definition of what constitutes a data breach.
  • An internal incident notification procedure.
  • Contact details for every member of the breach response team (management, computer forensics, information technology, risk management, human resources, legal, business partners, investor relations, etc).
  • A procedure or service to identify the data breach’s root cause.
  • A plan detailing how to securely lock down the affected systems while preserving evidence.
  • Legal support to assure all relevant laws are adhered to and government agencies are promptly notified of the breach.
  • A flexible pre-drafted public relations work plan and strategy. These outline handling the obligation to inform the public while maintaining a positive public image.
  • A detailed list of remedies that should be offered to individuals whose records were compromised in the case of a data breach. These may be required by law and include free credit monitoring, identity theft protection, and identity restoration services.

Why you need a data breach response plan

In a nutshell, a data breach response plan provides a path to quickly and competently respond to a data breach event while saving cost, reducing disruption of service, and protecting the brand’s reputation.

There is no shortage of reasons to develop and implement a well-defined data breach response strategy and plan. If you’re already convinced that your business needs one (and trust us, it does), feel free to skip right on to the next section. If you’re still in denial of the future data breach your business will experience or are worried about the added overhead of maintaining such a document, here are a few points to consider:


Without a plan, data breach management is a long and costly process. According to IBM’s 2020 Cost of a Data Breach Report, the average cost of managing a data breach is USD 3.86 million. Identifying and containing the breach in under 200 days can lower costs by up to $1.12 million when compared to breaches taking longer to resolve. Obviously, a well-designed plan set in motion is always more cost-effective than “winging it”.

Data breach costs rising, and their financial impact is felt for years -  Insurance-Canada.ca - Where Insurance & Technology Meet

Disruption of service

A data breach often results in a disruption of service, an event that when handled incorrectly, can lead to massive financial damages and even an indefinite shutdown. This is especially true for businesses that depend largely on digital or virtual transactions. A cybersecurity data breach can be catastrophic when every minute of downtime is money lost.


A slow response, faulty risk management, or lacking public relations planning may tarnish a brand’s reputation. In some cases, if handled incorrectly, a data breach can quickly become a permanent blemish on a brand that will echo for a long time in Google searches.

71% of CMOs believe the biggest cost of a security incident is the loss of brand value.
Source: https://dataprivacymanager.net/data-breach-and-reputation-management/

For financial and medical institutions such breaches can demolish a reputation, causing existing clients to take their business elsewhere posthaste.

How having a data breach plan makes a difference

On November 30th, 2020, “Shirbit”, an Israeli insurance company, suffered a publicized ransomware and data breach event. Personal and medical information of company employees and insured individuals have leaked. All the while, company executives refused to pay the hackers’ ransom and yield to their demands.

In an investigative report, ClearSky CyberSecurity working alongside Shirbit discovered that the company failed to comply with information security procedures on a regular basis. For example, the company forgot to delete an email box of an employee who left the company in 2015 but continued to receive messages. Beyond the confirmed personal and medical information leaks, the report warns of a possible credit card information leak.

Another data breach making headlines in the past weeks is that of FireEye, one of the world’s largest security companies. As such, FireEye were well prepared for a data breach of unknown proportions. 

3 Biggest Factors in Data Breach Costs and How To Reduce Them

Their quick response to the media, collaboration with government agencies, and the transparency of their disclosure make for a perfect example of what a well-executed data breach plan can accomplish.

How to develop a data breach response plan in 7 steps

Step 1 : Review risks and potential vulnerabilities in your business data

Before formulating a data breach response plan, you must first identify risks and potential vulnerabilities threatening your data. Though it’s not a pleasant mind-storm, consider how each risk and vulnerability impact your organization and its operations in the context of a data breach.

  • Account for incompetent and malicious employees
    A malicious or disgruntled employee may intentionally try damaging the organization by destroying data or selling stolen intellectual property to a third party. Even loyal employees may accidentally or through social engineering expose login credentials and access tokens to your internal network.
  • Prepare for catastrophic Loss of Data
    Whether it is intentional sabotage or simply a hardware failure, data loss is a major threat that must be accounted for.
  • Expect a Disruption of Service
    There are multiple scenarios where your organization’s services can grind to a halt. For example, ransomware and denial of service attacks can lock access to your data and services. Another example would be loss of access to an indispensable Third-Party service that is relied on for daily operations.
  • Evaluate the risk of sensitive data reaching the wrong hands
    In the wrong hands, your organization’s sensitive data may be used for identity theft, fraudulent transactions, industrial espionage, and even terrorism.
  • Manage loss of Reputation
    An embarrassingly incompetent response to a breach event will certainly result in a loss to your organization’s reputation. A loss that may never be recovered from.

Step 2 : Establish a response team

Once a data breach is identified, a trained response team is required to quickly assess and contain the breach.

  • Team Leader
    The point person leading the response team, granted the full access required to contain the breach.
  • Management
    A person or persons in management that must be kept updated on the current progress while securing the data breach.
  • Technicians
    Computer Forensic experts are used to determine the data breach’s root cause and extent while data technology technicians contain the breach and fix any outstanding vulnerabilities that may have led to the data breach.
  • Risk Management
    A person or service that determines existing and future risks resulting from a data breach while laying out a path to manage the risk.
  • Human Resources
    In cases where a breach involves company employees, human resources should be available to help navigate the investigation.
  • Legal
    Data breaches can expose companies to legal liabilities, a strong legal team is required to ensure compliance with local regulations.
  • Business Partners
    A data breach may involve or affect a business partner, maintaining communication and transparency with business partners is vital for future cooperation.
  • Investor Relations
    Maintaining a clear and truthful relationship with investors can strengthen the financial stability of an organization during a time of crisis.

Step 3: Implement tools, services, and policies

To prepare for a data breach event, policies, actions, and tools can be put in place to lay out a plan for detecting and containing an event while minimizing overall exposure in the first place.

  • Enact secure Password Policies and Access
    Enact secure policies that use role-based segmented access, secure password policies, and multi-factor authentication to mitigate a data breach’s scale.
  • Use Penetration Testing and Monitoring services
    Use penetration testing services to hack your systems and social engineer your employees in a safe and controlled environment. This can be a lifesaver when defending against black hat hackers. You can use Continuous Security Monitoring services to monitor activities performed by website visitors, compare a website’s behavior to the expected behavior, conduct investigations when a threat is detected, and alert your team to deal with the breach in minutes instead of days, weeks, or even months.
  • Prepare Storage Redundancy
    Prepare Storage Redundancy to protect against accidental data loss due to hardware failure or against deliberate damage caused by a disgruntled employee or a malicious Ransomware attack. You can use RAID technology to protect against limited hardware damage, but for true security, off-site remote backup services are the best option.
  • Handle a Denial of Service attack
    You do not want a DoS attack blocking people from accessing your systems. You can prepare for and mitigate such attaches by using proper DoS defense practices.
  • Expect Third-party services to fail
    Over time, you can expect a third party to fail. By preparing failure policies in advance, services can resume faster once a real failure occurs.
  • Purchase Cyber Insurance
    Expect the best but plan for the worse. By putting in place a Cyber Insurance plan, you can reduce the potential financial liabilities resulting from a data breach.

Step 4: Define workflows for identification, containment, and eradication

  • Identification
    Using forensic computing techniques and breach monitoring services, the data breach’s root cause can be identified.
  • Containment
    Once the root cause of the data breach has been identified, the affected systems must be contained to prevent the breach from spreading and to preserve any remaining forensic data. In practical terms, this may mean disconnecting the affected systems from the network or isolating the systems using a firewall when physical access is more limited. Or in a completely different scenario, having security detain an employee causing unlawful damage while law enforcement is on its way.
  • Eradication
    After containing a breach, the root cause must be addressed. Whether it be fixing vulnerabilities, adding additional network protections, informing the authorities about rogue actors, enhancing employee training, or switching to different service providers.

Step 5: Outline a communications plan

To control public reactions and minimize damage to an organization’s reputation requires drafting a public relations outline flexible enough that it can quickly be altered to fit any specific data breach with minimal modification.

Notification laws pertaining to data breaches may differ based on jurisdiction and the number of records affected by the breach, but in general (and based on the type of data breach), the following entities may require a public notification:

  • Individual notice
    All individuals impacted by the breach must be notified by the organization of the breach’s nature, the individual’s information that has been exposed or stolen, and the procedures affected individuals can use to mitigate their own risk.
  • Media notice
    Breaches affecting individuals usually require a period of public notification through prominent media outlets in the area affected and on the organization’s website.
  • Third-party services & partners notice
    In some organizations, a data breach can affect a 3rd party service or a business partner that may require notification.
  • Governmental notice
    Breaches involving financial and medical data may require an additional notification sent to authorities affected by the data breach.

Step 6: Review data breach response plan execution

Once a data breach has been resolved, the data breach plan itself must be evaluated to fill-in any holes discovered while mitigating the breach, for example:

  • Did the response team leader perform as expected?
  • Did management provide the required access?
  • Was anyone pertinent missing from the plan’s response team contact information list?
  • How quickly did the computer forensic and data security teams identify and contain the breach compared to industry metrics?
  • Was risk management implemented correctly and if not, how can it be improved.
  • Did human resources resolve the situation as expected?
  • Did the legal team provide a professional representation of the organization?
  • Were partners provided with the information they needed in a timely manner?
  • Was investor relations handled correctly?
  • Could employees be trained to prevent similar data breaches in the future?
The good, the bad, and the scary from Experian's data breach report -  TechRepublic

Data breach response plan checklist

To help you start with something that is not a blank page, we’ve put together a data breach response plan checklist. It should help you sort the tasks, processes, and stakeholders across the document sections.


  • Keep a log of the date and the time the breach was discovered. Make sure to write down the date and time the response plan was activated.
  • Contact the response team and begin executing the response plan.
  • Determine the type of breach, internal or external, caused by a company employee or outside entity, the result of an accident or malicious intent.
  • Contain the breach by securing the area where the breach occurred and as needed, disconnecting affected machines from the network. Do not turn off the machines, doing so may compromise evidence.
  • Secure any other evidence that may be related to the breach event.
  • Document who discovered the breach, to whom it was reported at this time, everything that is known so far about the breach, and any evidence that may be of use to law enforcement and the computer forensics team/service.
  • Interview and document the response of involved parties regarding their knowledge of the breach.


  • Launch the investigation by collecting the following information:
    • When, where, and how long was the breach active.
    • Who discovered the breach and under what conditions.
    • Determine if data was exposed or only damaged.
    • Was any personally identifiable information or intellectual property exposed?
    • Names of (possibly) affected organizations and individuals.
  • Perform a risk assessment by evaluating the extent of damage the breach caused to individuals and your organization.
  • Determine if the breach puts at risk other systems that may require immediate isolation.
  • Based on what is known about the breach, try to assess ongoing priorities and evolving risks.
  • Enable a computer forensics team to begin an in-depth investigation into the breach.


  • Prioritize notification procedures, determine who needs to become aware of the breach based on local ordinances, perceived harm, and internal priorities.  Ensure all notifications are published within the mandated (by law) timeframes.
  • After consulting with management and legal counsel, notify law enforcement as necessary.
  • Adjust & Activate the prepared public relations response based on the type of data breach encountered.


  • Consolidate the resulting investigation findings for a performance evaluation.
  • Update the response as necessary based on lessons learned from handling the data breach.
  • Update information security and data management policies & procedures as needed.
  • Enhance staff training practices and procedures to include lessons learned from handling the data breach.
  • Evaluate the implementation of the response process and update the response plan as necessary.


  • Do not ignore the problem, failure to act quickly will result in additional cost, time, and loss of reputation.
  • Do not access affected systems on your own, you may alert hackers that their activities have been discovered, giving them enough time to cover their tracks.
  • Do not turn off affected systems, a forensic team is required to ensure evidence remains untouched.
  • Do not attach devices (such as storage) to the affected systems, forensic teams use specialized hardware you do not have access to when accessing compromised systems.
  • Do not run anti-virus software or other system applications that may make updates to the system, corrupting forensic evidence.
  • Do not reconnect affected systems back to the network until forensic and data security have successfully eradicated the breach event.

In conclusion

The stability of an organization is determined by many factors. In today’s digital business world planning for a future data breach is becoming an increasing necessity. An organization simply can not ignore the scale and sophistication of data breaches that topple even the most high-end security companies. Without forming a data breach plan, your organization may suffer negative consequences and potentially risk an indefinite shutdown.

Related articles

Web Application Security: What to Consider for 2023

Web Application Security: What to Consider for 2023

Security is the biggest threat facing organizations that strive for faster software delivery. Organizations are witnessing increasing attacks due to application code gaps and security weaknesses.

Top 15 DevSecOps Tools that Accelerate Development

Top 15 DevSecOps Tools that Accelerate Development

As developers, we’re constantly under pressure to innovate at speed. In 2022, 60% of developers who responded to a GitLab survey acknowledged that code is moving

How to Run a SAST test: The Dev Tutorial

How to Run a SAST test: The Dev Tutorial

If you prioritize long-term security and success, you should be analyzing your applications from the inside out. Enter Static Application Security Testing (SAST), a proactive method

Stop leaks at the source!