Skip to main content

Data breach response checklist

Work through containment, assessment, and communication tasks in the hours and days after discovering a data breach. Each task has an optional note field for a timestamp, an owner, or a link — check items off as you complete them, then export the whole checklist (with your notes) to a branded PDF or a CSV to share with legal counsel or leadership.

Frequently asked questions

Why preserve logs before starting remediation?

Remediation steps — patching a server, rotating credentials, rebuilding a system — often overwrite or delete the evidence you need to determine exactly what was accessed and by whom. Regulators and cyber-insurance providers will ask for this evidence, and without it you're forced to over-disclose (assuming the worst-case scope) because you can't prove a narrower one. Snapshot or export logs first, then remediate.

What's the actual GDPR notification deadline, and does it apply to every business?

Under GDPR, a breach likely to result in risk to individuals must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it — this applies to any business processing personal data of EU residents, not just EU-based companies. Other jurisdictions (e.g. US state laws, Australia's Notifiable Data Breaches scheme) have their own deadlines and thresholds, so confirm which regimes apply to your user base before assuming GDPR's 72-hour window is the only one you need to hit.

How do I estimate what a breach will actually cost before deciding how much to invest in response?

Breach costs come from several buckets — regulatory fines, customer notification and credit monitoring, legal fees, lost business from customer churn, and remediation engineering time — and estimating them upfront helps justify the response budget to leadership. Use the Data breach cost estimator to get a rough figure for your specific user count and data sensitivity before finalising your response plan.

Share this tool