Cybersecurity

What to Do After a Data Breach — Step by Step

A data breach does not have to destroy your business — but a botched response can. 60% of small businesses close within six months of a cyberattack, and the difference between survival and shutdown is usually how fast and how well you respond. Here is your step-by-step playbook.

Updated: March 2026 11 min read Silent Security Research Team
Silent Security Research Team
Last reviewed March 2026  ·  Our methodology  ·  Affiliate disclosure Privacy Policy
Independent Review

You just discovered your business has been breached. Customer data may be exposed, your systems may be compromised, and the clock is ticking on legal notification deadlines. Panic is natural — but following these steps in order will minimize the damage and protect your business.

Step 1: Contain the Breach (Hour 0–4)

Your first priority is stopping the bleeding. Do not wipe systems — you need evidence. Focus on isolation.

1a

Isolate Affected Systems

Disconnect compromised computers from the network — unplug the ethernet cable and turn off Wi-Fi. Do NOT power them off (volatile memory contains forensic evidence). If you suspect the entire network is compromised, disconnect your router from the internet but keep the internal network up so forensic investigators can assess.

1b

Change Critical Credentials

Immediately change passwords for: admin accounts, email accounts, cloud services, banking, and any system the attacker may have accessed. Do this from a CLEAN device — not one that may be compromised. Use your phone if necessary.

1c

Preserve Evidence

Do not delete suspicious emails, files, or logs. Screenshot everything. Note the exact time you discovered the breach and what you observed. This evidence is critical for forensic investigation, insurance claims, and law enforcement.

Step 2: Assemble Your Response Team (Hour 4–8)

You cannot handle a breach alone. Contact these people immediately:

  • IT support / managed service provider — They can assist with technical containment and forensic preservation. If you don't have one, this is when you need to hire an incident response firm.
  • Cyber insurance carrier — Call your insurance broker NOW, even if you are not sure the policy covers this. Many policies have 24-hour notification requirements. Your carrier will assign a breach coach (an attorney) and may cover forensic investigation costs.
  • Legal counsel — You need an attorney experienced in data breach response. They will advise on notification obligations, protect attorney-client privilege over the investigation, and handle regulatory communications. Your insurance carrier usually provides one.
  • Key employees — Brief your leadership team but limit knowledge to need-to-know. Do not announce the breach company-wide until you understand the scope.
Do NOT Do These Things
  • Do not publicly announce the breach until you understand the scope and have legal guidance.
  • Do not wipe or reformat affected systems — this destroys forensic evidence.
  • Do not contact the attacker — especially for ransomware. Let professionals handle negotiations if needed.
  • Do not assume it is over — attackers often maintain persistent access. Assume they are still watching.
  • Do not hide it — cover-ups always make things worse. Every state has mandatory notification laws.

Step 3: Investigate and Assess Scope (Day 1–3)

You need to answer these questions as quickly as possible:

  • What data was exposed? — Customer PII (names, emails, SSNs, payment cards)? Employee records? Financial data? Trade secrets? The type of data determines your legal obligations.
  • How many records were affected? — Many state laws have different notification requirements based on the number of affected individuals (e.g., California requires AG notification if 500+ residents affected).
  • How did the attacker get in? — Phishing email? Compromised password? Unpatched vulnerability? Third-party vendor? You need to close the entry point before recovery.
  • Is the attacker still in your systems? — Check for unauthorized accounts, scheduled tasks, unfamiliar software, and unusual network traffic.
  • What systems were accessed? — Review access logs, email logs, file access logs, and cloud service audit trails.

Step 4: Notify Affected Parties (Day 3–30)

Notification is not optional — it is legally required. Here is who you need to notify and when:

State Attorneys General
Timeline: 30-60 days (varies by state)

Most states require notification to the state AG if residents are affected. Some states (like Florida) require notification within 30 days. Others allow up to 60 days. Your attorney will identify which states apply based on where your affected customers live — not where your business is located.

Affected Individuals
Timeline: Same as state AG (30-60 days)

Written notification to every affected individual, typically by mail. Must include: what happened, what data was exposed, what you are doing about it, and what they should do (freeze credit, change passwords). Offer free credit monitoring — 12-24 months is standard.

Federal Regulators
If applicable to your industry

HIPAA: Notify HHS within 60 days if health data is involved. Financial: Notify relevant regulators (FDIC, OCC, state banking authority). SEC-regulated: Material breach may require 8-K filing. PCI: Notify your payment processor immediately if card data was compromised.

Law Enforcement
As soon as practical

File a report with the FBI's IC3 (ic3.gov) and your local FBI field office. For ransomware, also notify CISA (cisa.gov/report). Law enforcement can sometimes help recover data or identify the attacker.

Step 5: Remediate and Recover (Week 1–4)

Once the breach is contained and notifications are underway, focus on recovery:

  • Close the attack vector — Patch the vulnerability, revoke compromised credentials, remove malware, close unauthorized access points.
  • Rebuild affected systems — Do not just clean compromised systems. Rebuild them from known-good backups or fresh installations. Attackers often leave backdoors that survive malware removal.
  • Implement monitoring — Deploy enhanced logging and monitoring on rebuilt systems. Watch for signs the attacker is attempting to regain access.
  • Reset all passwords — Company-wide password reset, enforced through your identity provider. Require 2FA for all accounts.
  • Review vendor access — If the breach came through a third party, review and restrict all vendor access to your systems.

Step 6: Prevent the Next One

Use the breach as a catalyst to implement the security measures you should have had in place:

Post-Breach Security Improvements
  • Mandatory 2FA on all business accounts — use authenticator apps or hardware keys, not SMS
  • Password manager for all employees — see our recommendations
  • Employee security training — especially phishing recognition. Most breaches start with a phishing email
  • Regular backups tested monthly — see our backup strategy guide
  • Cyber insurance — if you did not have it, get it. If you did, review your coverage
  • Incident response plan — document what you learned and create a written plan for next time
  • Vendor security assessments — require security questionnaires from vendors who access your data
  • Network segmentationsee our home office hardening guide

The Cost of a Breach: What to Expect

Small business breach costs vary widely, but here are typical ranges:

  • Forensic investigation: $20,000–$100,000+ (often covered by cyber insurance)
  • Legal fees: $10,000–$75,000+ for breach counsel, notification compliance, and regulatory response
  • Notification costs: $1–$3 per affected individual (printing, mailing, call center)
  • Credit monitoring: $10–$25 per affected individual for 12-24 months
  • Business interruption: Average 21 days of disruption for ransomware incidents
  • Regulatory fines: $100–$750,000+ depending on state, industry, and negligence
  • Reputation damage: Unquantifiable but often the largest long-term cost
Cyber Insurance: Get It Before You Need It

Small business cyber insurance policies start at $500–$2,000/year and typically cover forensic investigation, legal fees, notification costs, credit monitoring, business interruption, and even ransom payments. Without insurance, a single breach can exceed what most small businesses can afford. Major carriers: Coalition, Corvus, At-Bay, Hartford, and Hiscox all offer small business cyber policies.

Breach Response Checklist

Print this and keep it accessible — you will not remember all these steps when you are panicking:

Breach Response Quick Reference
  1. Isolate affected systems (do not power off)
  2. Change critical passwords from a clean device
  3. Preserve all evidence (screenshots, logs, emails)
  4. Call your cyber insurance carrier
  5. Engage breach response attorney
  6. Hire forensic investigator (insurance may assign one)
  7. Assess scope: what data, how many records, how it happened
  8. Notify state attorneys general per applicable deadlines
  9. Notify affected individuals with required disclosures
  10. Report to FBI IC3 and CISA if applicable
  11. Close the attack vector and rebuild affected systems
  12. Company-wide password reset with mandatory 2FA
  13. Document lessons learned and update your incident response plan

Frequently Asked Questions

Am I legally required to notify customers after a data breach?

Almost certainly yes. All 50 US states, plus DC, Puerto Rico, and the US Virgin Islands, have data breach notification laws. Most require notification within 30-60 days of discovery. Some states (like California) require notification to the state attorney general if more than 500 residents are affected. HIPAA-covered entities must notify HHS within 60 days. Failure to notify can result in fines of $100-$750,000+ depending on the state.

Should I pay a ransomware demand?

The FBI recommends against paying ransoms — payment funds criminal operations and does not guarantee data recovery. However, this is a business decision that depends on whether you have viable backups, the criticality of the encrypted data, and your ability to recover without the decryption key. Consult with legal counsel and your cyber insurance carrier before making this decision. Note: paying a ransom to a sanctioned entity can violate OFAC regulations.

Do I need cyber insurance before a breach happens?

Yes. Cyber insurance typically covers forensic investigation ($20,000-$100,000+), legal fees, notification costs ($1-$3 per record), credit monitoring for affected individuals, business interruption losses, and regulatory fines. Policies for small businesses start around $500-$2,000 per year. Without insurance, a single breach can cost more than most small businesses can absorb.

How do I know if my business has been breached?

Common indicators include: unusual login activity (especially from foreign IPs), unexpected system slowdowns, employees locked out of accounts, unfamiliar files or programs, customers reporting phishing emails that appear to come from your company, credit card processor alerts about unusual transaction patterns, and unexplained data transfers. Many breaches are discovered by third parties — 67% according to the Verizon DBIR.

What is the average cost of a data breach for a small business?

IBM's 2025 Cost of a Data Breach Report found the average cost for organizations under 500 employees is $3.31 million. However, small business breaches typically range from $120,000 to $1.24 million depending on the type and volume of data compromised, how quickly the breach is contained, regulatory fines, and whether lawsuits follow. The average time to identify and contain a breach is 277 days.