TL;DR
A documented and tested data-breach response plan can meaningfully reduce cost, legal exposure, and downtime. This template gives a practical framework for detection, ownership, notification, and post-incident review tailored for small businesses.
Why You Need a Breach Response Plan
Industry reports consistently show organizations with tested incident-response playbooks recover faster and with fewer downstream costs. Regulations in all 50 U.S. states require breach notification, and many include strict timing rules. Without a plan, teams lose critical early hours deciding who does what.
Regulatory Requirements
State Breach Notification Laws
- All 50 states require notification of affected individuals
- Timing varies (some require “expedient” notice, others specify days)
- Content requirements for notifications vary by state
Industry-Specific Requirements
- HIPAA: 60-day notification requirement for healthcare
- GLBA: Financial services notification requirements
- State privacy laws (CCPA, etc.) have specific timelines
Response Plan Template
Phase 1: Detection and Initial Assessment
Triggering Events
- Security alert from monitoring tools
- Employee report of suspicious activity
- Customer complaint about unauthorized access
- Ransomware demand
- Third-party notification
- Media inquiry
Immediate Actions (First 1-4 Hours)
-
Document the report
- Date/time of discovery
- How discovered
- What systems/data may be affected
- Who has been informed
-
Activate Incident Response Team
- Incident Commander: [Name, Phone]
- IT/Technical Lead: [Name, Phone]
- Legal Counsel: [Name, Phone]
- Communications Lead: [Name, Phone]
- HR Representative (if employee involved): [Name, Phone]
-
Initial Assessment Questions
- What type of data may be affected?
- How many individuals might be impacted?
- Is the threat still active?
- What systems are affected?
- Is there immediate business disruption?
Phase 2: Containment
Short-Term Containment
- Isolate affected systems from network
- Preserve forensic evidence (don’t wipe or rebuild yet)
- Document all actions taken
- Preserve logs from affected systems
Evidence Preservation Checklist
- Network logs (firewall, proxy, DNS)
- System logs from affected devices
- Email logs if relevant
- Access logs for affected systems
- Backup status and recent backup availability
Phase 3: Investigation
Scope Determination
- What data was accessed or exfiltrated?
- What is the sensitivity classification?
- How many individuals are affected?
- Were encryption and other protections in place?
Forensic Investigation For significant incidents, engage professional forensics:
- Determine attack vector
- Identify timeline of access
- Confirm scope of data accessed
- Document findings for insurance and legal
Phase 4: Notification Planning
Notification Decision Matrix
| Data Type | Number Affected | Required Notification |
|---|---|---|
| PII | Any | State AG + affected individuals |
| PHI | 500+ | HHS + media + individuals |
| Payment cards | Any | Card brands via processor |
| Financial data | Any | State regulators + individuals |
Notification Timeline
- HIPAA: 60 days maximum
- Most state laws: “Without unreasonable delay”
- Some states: Specific days (e.g., 30-45 days)
Phase 5: Communication
Internal Communications Template
Subject: Confidential - Security Incident Update
Team,
We are investigating a potential security incident. At this time:
- [Brief factual statement about what is known]
- Our incident response team is actively working on containment
- Please direct all inquiries to [Communications Lead]
- Do not discuss externally or on social media
We will provide updates as appropriate. Questions should be directed to [contact].
External Notification Template
[Date]
Dear [Individual Name],
We are writing to inform you of a security incident that may have affected your personal information.
What Happened:
[Clear, factual description of the incident]
What Information Was Involved:
[Specific types of information affected]
What We Are Doing:
[Actions taken and remediation steps]
What You Can Do:
[Recommended protective actions]
For More Information:
We have established a dedicated response line at [phone] and website at [URL].
Phase 6: Remediation
Immediate Actions
- Patch exploited vulnerabilities
- Reset compromised credentials
- Implement additional security controls
- Review and update access permissions
Longer-Term Improvements
- Address root cause findings
- Implement detective controls
- Update security policies
- Enhance monitoring
Phase 7: Post-Incident Review
Lessons Learned Meeting (Within 2 weeks)
- What went well in the response?
- What could have been done better?
- What process improvements are needed?
- What additional resources are needed?
Documentation Requirements
- Complete incident timeline
- Actions taken and by whom
- Final scope determination
- Notification records
- Insurance claim documentation
Testing Your Plan
Tabletop Exercises
Conduct annual exercises with your response team:
- Present a realistic scenario
- Walk through each phase of response
- Identify gaps and confusion points
- Update plan based on findings
Technical Testing
- Verify backup restoration procedures
- Test emergency communication channels
- Confirm forensic tool availability
- Validate contact information currency
Insurance Considerations
What Cyber Insurance Typically Covers
- Forensic investigation costs
- Legal counsel fees
- Notification costs
- Credit monitoring for affected individuals
- Crisis communications
- Business interruption
Policy Requirements
Many policies require:
- Prompt notification to insurer (often within 24-72 hours)
- Use of approved vendors for forensics
- Cooperation with insurer’s investigation
- Insurer consent before settlements
Next Steps
Use our cyber insurance calculator to ensure adequate coverage for breach response costs. Review this template with your IT provider and legal counsel to customize for your organization.