How to Create a Data Breach Response Plan

Is preparation for data breach part of your incident response plan? It should be.

For many organizations, data breaches have become an increasingly significant threat in recent years. According to a report compiled by Risk Based Security, data breaches exposed 8.4 billion records in Q1 2020 — an increase of 273% compared to Q1 2019. From credit bureaus to insurance providers, it seems as though no company has been immune, and for some, the fallout from a data breach has been significant, impacting both their bottom line and their public image.

According to a 2020 study conducted by IBM, U.S. based companies will lose an average of $8.64 million per data breach, and it takes them an average of 280 days to identify and contain the incident. Notably, the survey found companies that were able to respond in under 200 days spent $1 million less than their counterparts, on average.

Simply put, when a breach does occur, time is of the essence. The longer it takes a company to respond to a security breach, the worse the collateral and financial damage. For organizations, this means that in addition to investing in cybersecurity, having a solid incident response plan in place that prepares for data breaches can potentially help reduce the overall impact of a data breach.

What is a Data Breach Response Plan?

A data breach response plan is an incident response plan that outlines every stage of the response process: what actions need to take place, when and how they need to occur, and who needs to be involved. Should a data breach occur, the plan will serve as a roadmap, giving your team the ability to react quickly and reduce stress. Ultimately, the plan should help you mitigate damage — both for your customer base and your organization as a whole — while also working to reduce the financial loss associated with the incident.

Building a Data Breach Response Team

Prior to creating your plan, you’ll want to identify a team of specialists. Incident response planning and your data breach response team should include a cross-section of personnel that extends far beyond your IT department, from customer support to compliance.

For many organizations, a data breach response team will include representation from the following teams:

Executive Team

At least one member of your executive team — such as your CEO, CIO, or COO — should actively participate in incident response planning. Should a security event occur, having a key decision-maker involved can help improve your organization’s response time.

Information Technology

Your IT team should be prepared to handle all technical aspects of a data breach, from discovery and containment to investigation and resolution. Depending on the size of your organization, you may need the support of your entire team.

Legal and Compliance

Your legal and compliance team should play an integral role in nearly every aspect of a data breach response plan. During the planning stages, they will work to ensure that your organization is adhering to all rules and regulations regarding data protection, and that all eventualities are being taken into consideration. Should a data breach occur, they will help ensure that your team is working to mitigate further damage, adhering to all legal obligations, and compiling the appropriate documentation.

Public Relations and Marketing

In the event of a data breach, communication is of utmost importance. As such, it’s important to engage the support of your marketing and communications teams early on. They should lead the charge on any external communications regarding a data breach, such as a press announcement and outreach to those who may have been affected.

Customer Support

Some organizations may find it helpful to engage their customer support team, particularly those that retain a large database of customer information. Your customer support team can partner with public relations (PR) and marketing leaders on customer outreach. Should a data breach occur, customer service teams may also be responsible for handling any inbound customer inquiries regarding the incident.

Human Resources

Your human resources (HR) department holds a great deal of sensitive information about every employee in your organization including, in some cases: their Social Security number, date of birth, names of immediate family, and more. In short, employee records are an appealing target for some cybercriminals. It’s important to also include at least one member of your HR team in the plan to help develop a course of action should employee data be compromised.

External Vendors

It’s important to consider what external support your organization may require in the event of a data breach. Depending on your company’s existing resources, this may include vendors specializing in forensics, data breach restitution, legal counsel, or PR support. By having a researched and vetted list of vendors included within your plan, you can avoid days — or even weeks — of delays after a data breach.

Creating a Data Breach Response Plan

Once you’ve identified key participants, your team should assemble and begin building out your plan. Many teams might find it helpful to start by mapping out every stage of the process, from discovery to resolution.

While every organization’s roadmap will be unique, the following steps can serve as a general starting point:

  1. Discovery: The breach is identified.
  2. Containment: Steps are taken to contain the breach and minimize any further damage.
  3. Initiate Response: Team members are notified and the data breach response plan is put into action. Any necessary vendors are engaged.
  4. Investigation: Your team works to uncover details about the data breach.
  5. Notify the Public: Appropriately notify those impacted by the breach as well as credit reporting agencies and other organizations as required by applicable laws.
  6. Address Vulnerabilities: Your team works to fix any vulnerabilities and put measures in place to safeguard your data.
  7. Post-mortem Meeting: Your team takes time to review the data breach recovery process, share feedback, and make updates to your plan based on these learnings.

It’s important to note that some of these steps might occur in tandem — for example, you may wish to initiate your response plan and investigate while your IT department takes measures to contain the breach. Likewise, it’s important to note that laws vary by state. Be sure to research applicable state’s laws and ensure you’re including all necessary steps in your plan.

Determining what events will trigger your plan

Consider what type of breach will trigger the activation of your plan, and who will be responsible for making the decision to do so. For example, if a third party accidentally gains access to the email addresses of just a few customers, you may decide it’s not necessary to activate your full response plan.

When making this decision, you may wish to consider the following:

  • Could the intent of this breach be malicious?
  • How many individuals have been affected by the breach?
  • What type of data has been exposed?
  • Does this have the potential to cause harm to individuals?
  • Do we need to take additional steps in order to mitigate further loss or damage?
  • Could there be legal, financial, or reputational ramifications?

Identifying the who, what, and when of your plan

Once you’ve mapped out the steps that will need to occur, you’ll want to outline specific action items. When doing so, consider the following questions:

  • Who is in charge of activating our plan?
  • What action needs to be taken?
  • When does this need to occur?
  • Who is responsible for overseeing the execution of this task?
  • What teams or vendors will need to participate in this step?

Make sure your plan is clear and straightforward. Every participant should be able to quickly and easily identify their role and what actions they are responsible for. Be sure to include contact information for everyone involved. Also, remember that in some cases, your team may need to spring into action outside of normal business hours. As such, it’s important to identify a secondary contact in case any of your primary contacts are unreachable or unavailable.

Finally, take care to consult your legal and compliance team in order to identify what level of documentation will be necessary at each stage of the plan. Should a data breach occur, it will be important to maintain detailed records outlining all of the steps your organization has taken to mitigate damage and remedy the situation.

Test and Revisit Your Plan

Once you’ve created your data breach response plan, it’s a good idea to conduct a test run. This will help you identify any potential issues or steps your team may have overlooked. Likewise, this will help ensure that every member of your team has a clear understanding of their role and responsibilities.

From there, be sure to revisit your plan periodically. Consider whether there have been staffing changes that might impact your plan, or if your vendor needs have changed. Be sure to have each participant review their contact information in order to ensure the plan is accurate and up to date. Also, verify that any other details you may have included in your plan — such as information pertaining to your company’s cyber insurance policy — is still relevant.

Finally, remember that the best way to reduce the cost of a data breach is to take every precaution to prevent one from ever occurring. As an organization, it’s crucial to establish cybersecurity strategies designed to safeguard your data and deter cybercriminals, while taking all necessary steps to reduce IT risk.

For more strategies and tips to help you safeguard your business, visit

Sources: Additional data breach response planning resources are available through the National Institute of Standards and Technology (NIST), CompTIA and Experian.


The information presented is general in nature and should not be considered, legal, accounting or tax advice. Regions reminds its customers that they should be vigilant about fraud and security and that they are responsible for taking action to protect their computer systems. Fraud prevention requires a continuous review of your policies and practices, as the threat evolves daily. There is no guarantee that all fraudulent transactions will be prevented or that related financial losses will not occur. Visit, or speak with your Banker for further information on how you can help prevent fraud. References or links to third-party websites do not imply endorsement.