What to Do in the First 72 Hours After a Data Breach

You just found out your systems were breached. Maybe a customer reported suspicious activity. Maybe your monitoring caught unauthorized access. Maybe a security researcher sent you a responsible disclosure email. However you got here, the clock is now ticking.

The next 72 hours will determine whether this incident becomes a manageable event or an existential crisis. Here is the playbook.

Hours 0-4: Confirm and contain

First, confirm you actually have a breach. Not every anomaly is a compromise. Pull your team together, look at the evidence, and make a call. If you are unsure, treat it as a breach until you can prove otherwise.

Once confirmed, your goal is containment. This does not mean pulling the plug on everything. It means stopping the bleeding without destroying evidence.

• Isolate affected systems from the network. Do not wipe them.
• Rotate all credentials that may have been exposed: API keys, database passwords, service accounts, admin logins.
• Revoke active sessions for affected users.
• Enable enhanced logging on everything. You need to capture what happens next.
• Preserve forensic evidence: disk snapshots, memory dumps, log exports.

Do not reboot servers. Do not delete anything. Forensic evidence is fragile and you will need it later.

Hours 4-24: Assess the scope

Now you need to figure out what happened. What was accessed? How did the attacker get in? Are they still in your systems?

If you do not have internal forensics capability (most startups do not), this is when you call in an incident response firm. Good ones include CrowdStrike, Mandiant, and Secureworks. Expect to pay $25,000-$75,000 for a typical startup-scale engagement. That sounds expensive until you compare it to the cost of getting this wrong.

While the forensics team works, start documenting everything. Create a timeline. Record every action you take with timestamps. This documentation will be critical for regulators, customers, and your legal team.

Hours 24-48: Legal and regulatory

Call your lawyer. If you do not have a lawyer who understands data breach law, find one immediately. Breach notification requirements vary by jurisdiction, and getting them wrong can multiply your liability.

Key regulatory deadlines to know:

• GDPR: 72 hours to notify the supervisory authority if EU personal data is involved.
• US state laws: Varies from 30 to 90 days depending on the state. Some states require notification to the Attorney General.
• HIPAA: 60 days for individual notification, 60 days for HHS if more than 500 records.
• SEC: Public companies must report material cybersecurity incidents within 4 business days.

Your lawyer will help you determine what applies. Do not try to figure this out on your own.

Hours 48-72: Communication

This is where most companies fail. The instinct is to say as little as possible and hope it goes away. That never works.

Draft your breach notification with these elements: what happened, what data was affected, what you are doing about it, and what affected individuals should do. Be specific and honest. Vague statements like "a limited number of users may have been affected" erode trust faster than the breach itself.

Notify affected customers directly via email. Post a public incident report on your website. Brief your customer-facing teams so they can answer questions. If the breach is significant, consider offering credit monitoring or identity theft protection.

After the first 72 hours

Once the immediate crisis is managed, shift to remediation and prevention. Fix the vulnerability that was exploited. Implement the security controls that would have detected or prevented the breach. Conduct a thorough postmortem (blameless, focused on systems not people). Update your incident response plan based on what you learned.

The startups that survive breaches are the ones that respond quickly, communicate honestly, and emerge with stronger security than they had before.