CIO's Guide to Responding to a Data Breach

February 15, 2019 9 min read

Gaetano DiNardi

Gaetano DiNardi

image of people creating a data breach response plan
Data breaches and identity theft are becoming commonplace in today’s society. As individuals and companies race to secure their data, hackers are devising new ways to steal it.
The Identity Theft Resource Center reported a 126% increase in exposed consumer data in 2018. Now, more than ever, it’s important for businesses to plan for the unexpected. A data breach response plan can help companies prepare for a cyber emergency. They can avoid losing valuable data, damaging their reputations, or losing revenue.
Is your business ready to react efficiently in the face of a data emergency? Find out what you need to keep in mind before, during, and after a data breach below.

  1. Create a data breach response plan
  2. Choose teams in each department to identify, contain and recover from the breach
  3. Ensure IT resources are allocated to the most crucial departments
  4. Conduct company-wide awareness activities and drills annually
  5. Identify what type of breach has occurred
  6. Secure all data
  7. Change all passwords and encryption keys
  8. Clear malicious code from your systems
  9. Identify the source of the breach
  10. Alert the authorities and legal counsel
  11. Protect digital evidence found
  12. Notify data owners about the breach
  13. Activate public relations response teams (if needed)
  14. Fix vulnerabilities to prevent another breach
  15. Alter preparation plans for potential future breaches

What Is a Data Breach?

professionals crowded around a computer discussing a possible data breach
A data breach is the release of private, confidential or secure information to an untrusted environment. Data breaches can be intentional and unintentional and vary in severity. One of the first steps when developing a data breach response plan is defining what your organization considers a breach.
You will need to decide what level of severity will set your plan in action. A small breach (such as exposed information as a result of a phishing email) may not need a full-blown response. Attacks that cause a more serious disruption can also happen. These breaches may include widespread theft or exposure of sensitive information. Learn more about the different social engineering attacks here.

How to Respond to a Data Breach

people in a conference room creating a data breach response plan
If a data breach happens at your organization it’s important to have a plan set in place ahead of time to contain the situation. A data breach response plan provides your business with a detailed set of instructions to follow in the event of a security breach.
The plan should involve key members of your organization. This includes IT departments, public relations and digital marketing teams, legal and risk compliance teams as well as an executive sponsor. Set clear objectives and decide how each department will respond to a breach. Test and revise the plan annually or bi-annually to ensure its relevance.
Once you discover and identify a security breach, the data breach response plan can be set in motion. Your team members can then follow its steps to secure the situation and get the company back on track.


abstract image of computer workers pointing to a broken lock

1. Create a data breach response plan

An effective response plan includes steps designed to prepare your company for a cyber emergency. It also identifies the response team and lists actions to contain and recover from the event.

The intricacy of the data breach response plan will depend on the size of your business. You must also consider the number of possible threats and confidentiality of the information you store. If a cybersecurity breach has the potential to severely impact your business, your plan needs to be thorough.
You need to make key decisions ahead of time to avoid making them under pressure. All personnel involved with the plan should be well-informed and trained.

2. Choose teams in each department to identify, contain and recover from the breach 

Choose teams in each department to identify, contain, and recover from the breach. Assign incident leads and ensure the correct IT resources are allocated to the most crucial aspects of the plan. Teams should include members that will handle customers, internal communication, and public relations.

3. Ensure IT resources are allocated to the most crucial departments

Key departments to involve include:

  • Information Technology – Discovers and responds to the data breach.
  • Legal and Compliance – Determines the data retention policies. Maintains compliance standards for records retention and informs the appropriate parties. 
  • Public Relations and Marketing – Leads customer identification and communications coordination efforts.
  • Sales – Leads key relationship management.
  • Executive – Coordinates high-level response efforts.

4. Conduct company-wide awareness activities and drills annually

Company-wide awareness activities and drills are important to conduct annually or bi-annually. That way nobody is caught off-guard if a breach occurs. A few different types of cybersecurity drills include:
  • Employee awareness of common security breaches
  • Security awareness training sessions
  • Simulating cybersecurity incidents or phishing scams 
  • Tabletop exercises
Prevention is a major aspect of preparation. Take stock of weak points in your company’s security measures. Consider potential ways data could be compromised — then take steps to ensure these areas are secure. If you can prevent the breach from happening, you’re one step ahead.


a broken lock, money, and other imagery relating to a data breach response plan

5. Identify what type of breach has occurred:

  • Legally protected information

  • A material loss to the company

You should have determined what you consider a data breach ahead of time. If a breach occurs you will need to determine its severity and the best response plan.

What types of sensitive information does your company hold? Two types of data can be compromised in a data breach:

Incidents that involve legally protected information.

You often see this type of incident on the news. This includes customer health records, personal identification information (such as credit card numbers or social security numbers). The company is often legally required to inform their customers when a breach of this nature occurs.

In these cases, legal or outside counsel should identify required data retention and disclosure requirements. Different industries will have different reporting requirements. Some (such as retail and PCI compliance) must inform their customers. Others (such as healthcare and government) must inform the customers and governmental regulatory agencies. You will need to know which regulations apply to your business.

Incidents that involve a material loss to the company.

This type of data loss may not warrant a public announcement but can be damaging to the company itself. Material losses manifest differently across industries. They can include a compromise of sensitive information, trade secrets or intellectual property.
Material losses can also prevent your company from functioning properly. For example, an operational disruption or a compromised vendor network could impact your supply chain.
Identifying the type of incident helps you decide the type of action needed. It also helps determine which departments to involve. Train all employees on how to identify an attack. Teach them how to escalate the incident internally and externally to set the plan in motion. 

Containment abstract imagery of papers, a lock, a key and other data breach imagery

6. Secure all data

Your recovery teams will need to take action to mitigate the impact of the breach as much as possible. This ensures that the breach does not spread and all data is secured. 

7. Change all passwords and encryption keys

Put all affected machines, devices and systems on lockdown. Change any passwords or encryption keys immediately. As always, only use a trusted source and store this information securely.

8. Clear malicious code from your systems

If the breach involves any viruses or malicious code, allocate the resources needed to clear them from your system. This way, the company can begin to recover. This is one situation in which it’s important to have an effective backup strategy for your digital information. This kind of strategy can save you time and help you determine the best course of action.
For example, if data is breached with a ransomware attack, the most effective response is not to pay the ransom for the release of data. You should roll the IT state back to the most recent copy of the data, thus restoring its operational state. Data will still be compromised, but you will be able to analyze what was taken. You can also determine your next move and maintain operations.

Investigation abstract illustration of police man with magnifying glass

9. Identify the source of the breach

Once you contain the breach, your team should investigate its potential cause. Be sure to document all investigation and mitigation efforts carefully. Record all interviews with internal and external personnel and update legal teams often.

10. Alert the authorities and legal counsel 

If you need to call in outside help, now is the time. You will likely need to involve law enforcement. Consult with your executive leadership teams and legal counsel to determine any additional response teams needed.

11. Protect digital evidence found

Include a detailed set of instructions and approved methods to protect any digital evidence. The response teams should continue to carefully watch the status of the breach. They can also ensure that more information is not compromised. This is important even after the breach. 


Man speaking to a group of people about data breach recovery

12. Notify data owners about the breach

When you contain the breach and investigations are underway, you can put your restoration plan into action. You may need to notify data owners. This includes customers or employees. Let them know that their information was compromised. Notify them as soon as possible so that they can take the necessary steps to protect themselves.
Taking it a step further, it’s important to consider ways to make the situation right in the eyes of the victims. This means going beyond regulations and considering ethical steps your company can take to ensure their well-being
You can pay for additional monitoring, an identity protection plan or security software for the victims. This shows that you are doing something to remedy the issue rather than simply reporting it.

13. Activate public relations response teams (if needed)

If you need public relations teams, they should communicate quickly, clearly and transparently. It’s important to be straightforward and honest when communicating what you know.
The FTC has a wonderful model letter template. It explains what happened and what information was compromised. It also covers what the company has done to stop it and what users can do to protect themselves.

Learning Lessons illustration of man and imagery related to a data breach response

14. Fix vulnerabilities to prevent another breach

After a security breach, your team should take a look at what happened and fix any vulnerabilities so that it can’t happen again. Decide if you should change service provider access privileges for those involved. 
You may choose to segment your network so that a future breach in one sector won’t expose sensitive information in another sector. Work with your team to find out what weak points in security made this breach possible. This can include reviewing logs and who had access to the appropriate information. Take the recommended measures to ensure networks continue to be secure.
Make sure your teams are leveraging the most updated antivirus and WiFi security protection software. Consider using a tool like Aura to protect your data and devices.

15. Alter preparation plans for potential future breaches

You will also likely want to review your data retention policies and adjusting them. For example, you may only be required to maintain 3 years of ex-customer records. Maintaining 10 years s unnecessarily exposes the company to more risk.
Your IT and compliance teams should come together and determine the lowest amount of customer or other data to retain. Remember that some industries are regulated and you must retain data in some cases.
At this point, your prevention or preparation plans may need altering for potential future breaches. Do so with the knowledge gained from your investigation.

Considerations When Responding to a Data Breach

professional woman pointing to paper on a conference room table
There are some key factors to take into consideration when planning for a potential data breach. You will want to ensure:

  • Senior management is supportive. Support from all senior management teams is essential for the success of your response plan. They can help you gain access to information you may not have readily available and ensure that all departments are on board and well informed.
  • The plan is simple and straightforward. Everyone should know their role and there should be no confusion as to how to deploy the response strategies.
  • Communication is continuous. Not only within the company but with those whose data has been compromised. Recovery will depend on the trust you gain while the incident occurs.
  • You review and test the plan often. You should be constantly looking for holes or discrepancies in the plan so that they can be fixed preemptively. The plan will be worthless if it is irrelevant or ineffective.

To sum things up, you can avoid many negative effects of a security or data breach by preparing. Consequences can include loss of productivity and revenue or damage to trust or reputation. If your team remains flexible and agile during this type of disaster you will enjoy the best possible outcomes. Keeping this in mind, it’s never too early to start thinking about preparing for a data breach.

Gaetano DiNardi


Gaetano DiNardi

Gaetano DiNardi led demand generation at Nextiva and has a track record of success working with brands like Major League Baseball, Pipedrive, Sales Hacker, and Outside of marketing, Gaetano is an accomplished music producer and songwriter. He’s worked with major artists like Fat Joe, Shaggy, and loves making music to stay turbocharged.

Posts from this author
Call badge icon