Data Breach Response Plan Template for Startups (2025)

Quick Facts About This Template

• Purpose: Comprehensive incident response plan for detecting, containing, investigating, and notifying regulators and data subjects of personal data breaches
• Key Laws: GDPR Article 33/34, CCPA/CPRA, US state breach notification laws (all 50 states + DC, PR, VI)
• Critical Timeline: GDPR requires notification within 72 hours of becoming aware of a breach
• Who Needs This: Any organization that collects, processes, or stores personal data (especially SaaS startups, e-commerce, fintech, healthcare tech)
• Last Updated: September 2025 (reflects 2025 GDPR guidance, CPRA requirements, and state law changes)
• Customization Time: 4-6 hours (requires input from legal, IT security, privacy, and executive teams)
• Format: Step-by-step incident response procedures, notification templates, decision trees, and checklists

---

Why You Need a Data Breach Response Plan

A data breach response plan is essential for:

1. Regulatory Compliance: GDPR, CCPA, and all 50 US states require timely breach notification
2. Minimizing Harm: Fast containment and response reduces impact on data subjects and your business
3. Avoiding Penalties: GDPR fines up to €10 million or 2% of global revenue for notification failures (Article 33); up to €20 million or 4% for security failures (Article 32)
4. Protecting Reputation: Demonstrates preparedness and responsibility to customers, investors, and regulators
5. Legal Defensibility: Having a documented, tested plan shows due diligence and good faith efforts

Recent 2025 Updates:

• PECR (UK): Breach reporting timescales changed from 24 hours to 72 hours (effective August 20, 2025)
• EDPB Guidelines 9/2022: Updated guidance on what constitutes "becoming aware" of a breach and phased notification procedures
• State Law Changes: Several states updated notification timelines and requirements in 2024-2025

---

1. Incident Response Team and Roles

1.1 Breach Response Team

Establish a cross-functional breach response team with clearly defined roles:

Role	Responsibilities	Primary Contact
Incident Response Lead	Overall coordination, decision-making, escalation	[NAME, TITLE, EMAIL, PHONE]
IT Security Lead	Technical investigation, containment, forensics	[NAME, TITLE, EMAIL, PHONE]
Privacy Officer / DPO	Regulatory notification, data subject notification, privacy impact assessment	[NAME, TITLE, EMAIL, PHONE]
Legal Counsel	Legal advice, regulatory liaison, litigation hold	[NAME, TITLE, EMAIL, PHONE]
Executive Sponsor	Executive decision-making, media statements, board notification	[CEO/CTO NAME, EMAIL, PHONE]
Communications Lead	Internal/external communications, customer support, media relations	[NAME, TITLE, EMAIL, PHONE]
HR Lead	Employee notification, workforce coordination, insider threat investigation	[NAME, TITLE, EMAIL, PHONE]
Vendor Management	Third-party processor notification, vendor coordination	[NAME, TITLE, EMAIL, PHONE]

1.2 Escalation Path

Define clear escalation triggers:

• Low Severity: Security incident affecting <100 individuals, no sensitive data → IT Security Lead handles
• Medium Severity: Incident affecting 100-10,000 individuals, potential regulatory notification → Escalate to Privacy Officer + Legal
• High Severity: Incident affecting >10,000 individuals, sensitive data (SSN, financial, health), likely regulatory/public notification → Escalate to Executive Sponsor + full Breach Response Team
• Critical Severity: Incident with immediate risk of harm (e.g., financial fraud, identity theft, physical danger) → Immediate escalation to CEO + emergency response

1.3 24/7 Contact Information

Maintain an up-to-date contact list with multiple channels:

• Primary phone
• Secondary phone
• Personal email (for after-hours)
• Emergency SMS group

Review and test contact list quarterly.

---

2. Breach Detection and Reporting

2.1 What Constitutes a Personal Data Breach?

GDPR Article 4(12) defines a personal data breach as:

"A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."

Examples include:

• Unauthorized access to databases containing personal data
• Ransomware encryption of personal data
• Accidental email sent to wrong recipients containing personal data
• Lost or stolen laptop/USB drive with unencrypted personal data
• Malware exfiltrating customer data
• Insider theft or misuse of personal data
• Misconfigured cloud storage exposing personal data publicly
• Vendor/processor breach affecting your data

2.2 Detection Methods

Common detection sources:

• [ ] Security monitoring and SIEM alerts
• [ ] Intrusion detection/prevention systems (IDS/IPS)
• [ ] Endpoint detection and response (EDR) tools
• [ ] Log analysis and anomaly detection
• [ ] Employee reports
• [ ] Customer complaints
• [ ] Third-party/vendor notifications
• [ ] External security researcher reports
• [ ] Media reports or dark web monitoring
• [ ] Regulatory inquiry

2.3 Internal Reporting Procedure

Any employee who suspects a personal data breach must immediately report it:

Reporting Channels:

• Primary: Email to [[email protected]]
• Secondary: Direct contact to IT Security Lead at [PHONE]
• Emergency (after-hours): [24/7 HOTLINE NUMBER]

Information to Provide:

• Date/time of discovery
• How was the breach discovered?
• What personal data may be affected?
• How many individuals may be affected?
• What systems/databases are involved?
• Has the breach been contained?
• Any immediate actions taken?

No Retaliation Policy: Employees will not face retaliation for reporting suspected breaches in good faith.

---

3. Initial Assessment (0-24 Hours)

3.1 Confirm the Breach

The 72-hour GDPR clock starts when you become aware "with reasonable certainty" that a personal data breach has occurred.

Key Questions:

• [ ] Has personal data been accessed, disclosed, altered, lost, or destroyed?
• [ ] Was the access/disclosure unauthorized or unlawful?
• [ ] Is this a confirmed breach or just a potential security incident?

Important: Discovery of a network intrusion alone does NOT start the 72-hour clock—only confirmation that personal data was involved.

3.2 Immediate Actions (First 24 Hours)

Within the first 24 hours, the Incident Response Lead must:

1. Activate the Breach Response Team

   • [ ] Convene emergency meeting (in-person or video conference)
   • [ ] Assign roles and responsibilities
   • [ ] Establish communication channels (Slack channel, war room, etc.)

2. Preserve Evidence

   • [ ] Do NOT take systems offline without consulting forensics experts (may destroy evidence)
   • [ ] Preserve logs, memory dumps, network traffic captures
   • [ ] Implement litigation hold on relevant documents and communications
   • [ ] Document all actions taken with timestamps

3. Begin Initial Fact-Finding

   • [ ] What personal data is affected? (names, emails, passwords, SSNs, payment info, health data, etc.)
   • [ ] How many individuals are affected? (estimate range if exact number unknown)
   • [ ] When did the breach occur? (initial compromise vs. discovery date)
   • [ ] What is the cause? (cyberattack, human error, system failure, insider threat, vendor breach?)
   • [ ] What systems/databases are compromised?
   • [ ] Has data been exfiltrated or just accessed?
   • [ ] Is the breach ongoing or contained?

4. Notify Key Stakeholders Internally

   • [ ] Brief CEO/executive team
   • [ ] Inform legal counsel
   • [ ] Alert cyber insurance carrier (if applicable)
   • [ ] Contact forensics firm (if needed)

5. Start Incident Log

   • [ ] Create incident ticket/case number: [INCIDENT-YYYY-MM-DD-###]
   • [ ] Maintain detailed timeline of all actions, decisions, and findings
   • [ ] Record who was notified and when

---

4. Containment and Mitigation

4.1 Immediate Containment

Priority: Stop the breach from continuing or worsening.

Technical Containment Measures:

• [ ] Isolate affected systems (network segmentation, disable network access)
• [ ] Revoke compromised credentials (passwords, API keys, access tokens)
• [ ] Block malicious IP addresses/domains
• [ ] Disable compromised user accounts
• [ ] Patch vulnerabilities that allowed the breach
• [ ] Deploy additional monitoring on affected systems
• [ ] Change all administrative passwords
• [ ] Enable enhanced logging

Physical Containment Measures:

• [ ] Secure physical access to affected servers/devices
• [ ] Recover lost/stolen devices (if possible)
• [ ] Disable remote wipe for forensics (coordinate with legal/IT)

4.2 Forensics Considerations

WARNING: Improper containment can destroy evidence.

Before taking systems offline:

• [ ] Consult with forensics specialist
• [ ] Capture volatile memory (RAM) dumps
• [ ] Preserve disk images
• [ ] Maintain chain of custody for evidence

When to Engage External Forensics Firm:

• High-severity breaches affecting >10,000 individuals
• Breaches involving malware, ransomware, or advanced persistent threats (APTs)
• Breaches where cause/scope is unclear
• Breaches likely to result in litigation or regulatory investigation
• Insider threat investigations

Recommended Forensics Firms:

1. [FORENSICS FIRM NAME, CONTACT, CONTRACT STATUS]
2. [FORENSICS FIRM NAME, CONTACT, CONTRACT STATUS]
3. [FORENSICS FIRM NAME, CONTACT, CONTRACT STATUS]

---

5. Investigation and Forensics

5.1 Determine Scope of Breach

Forensic investigation must determine:

1. Attack Vector / Root Cause

   • How did the attacker gain access? (phishing, vulnerability, stolen credentials, insider, misconfiguration?)
   • When did the initial compromise occur?
   • What was the timeline of attacker activity?

2. Data Affected

   • What specific personal data was accessed/exfiltrated? (full field-level inventory)
   • Which databases, tables, files, systems?
   • Was data encrypted at rest? In transit?
   • Was data anonymized or pseudonymized?
   • Was data backed up/replicated to other systems?

3. Individuals Affected

   • How many data subjects are affected? (exact count or best estimate)
   • What categories of data subjects? (customers, employees, prospects, children, etc.)
   • What countries/regions are they in? (determines notification laws)

4. Data Exfiltration

   • Was data merely accessed or also exfiltrated/copied?
   • What evidence of exfiltration exists? (network logs, command history, etc.)
   • Where was data exfiltrated to? (external IP, cloud storage, email, etc.)
   • Was data published/sold on dark web or leaked publicly?

5. Impact on Data Subjects

   • What is the likelihood of harm? (identity theft, financial fraud, discrimination, physical danger, reputational harm)
   • What is the severity of potential harm?
   • Are there vulnerable populations affected? (children, health data subjects, financial distress)

5.2 Forensics Report

External forensics firm should provide:

• Executive summary of findings
• Detailed technical report with evidence
• Timeline of attacker activity
• Root cause analysis
• List of affected systems and data
• Recommendations for remediation
• Evidence preservation and chain of custody documentation

---

6. Risk Assessment and Notification Decision

6.1 GDPR Risk Assessment

GDPR Article 33 requires notification to supervisory authority UNLESS the breach "is unlikely to result in a risk to the rights and freedoms of natural persons."

Factors to Consider (EDPB Guidelines 9/2022):

Risk Factors INCREASING likelihood of notification:

• [ ] Sensitive data involved (health, financial, SSN, biometric, racial/ethnic origin, political opinions, religious beliefs, sexual orientation, criminal convictions)
• [ ] Large number of individuals affected
• [ ] Children's data affected
• [ ] Employees' data affected
• [ ] Vulnerable individuals (elderly, disabled, low-income, marginalized)
• [ ] Data exfiltrated or publicly disclosed (not just accessed)
• [ ] Data unencrypted or encryption key also compromised
• [ ] Identity theft or financial fraud risk
• [ ] Discrimination or reputational harm risk
• [ ] Physical danger risk
• [ ] Inability to access services (e.g., locked out of accounts)
• [ ] Ransomware encryption preventing access to critical data

Risk Factors DECREASING likelihood of notification:

• [ ] Data encrypted with strong encryption (AES-256) and key not compromised
• [ ] Data pseudonymized and identifiers not compromised
• [ ] Immediate containment with no evidence of data exfiltration
• [ ] Very limited data involved (e.g., email addresses only, no passwords/names)
• [ ] Very small number of individuals (<10)
• [ ] Immediate technical measures rendered data unintelligible to unauthorized party

6.2 Notification Decision Matrix

Breach Type	Risk Level	Supervisory Authority Notification?	Data Subject Notification?
Unencrypted laptop with customer names/emails stolen	Medium	✅ Yes (within 72 hours)	⚠️ Likely (high risk of harm)
Database with hashed passwords accessed (no evidence of exfiltration)	Low-Medium	✅ Yes (within 72 hours)	❌ Possibly not (if hashing strong + no exfiltration)
Database with SSNs + financial data exfiltrated	High	✅ Yes (within 72 hours)	✅ Yes (high risk)
Employee email account compromised (100 customer emails viewed)	Medium	✅ Yes (within 72 hours)	⚠️ Likely
Encrypted backup tapes lost (encryption key not compromised)	Low	❌ Possibly not	❌ No
Ransomware encrypted customer database (no exfiltration)	Medium-High	✅ Yes (within 72 hours)	⚠️ Likely (inability to access)

When in doubt, notify. Failure to notify when required can result in significant fines.

---

7. Notification to Supervisory Authorities (GDPR 72-Hour Requirement)

7.1 GDPR Article 33 Requirements

Timeline: Notify supervisory authority within 72 hours of becoming aware of the breach.

"Becoming Aware" Means:

• When IT security or management has reasonable certainty that a personal data breach has occurred
• Not when you first detect a security anomaly, but when you confirm personal data is involved
• The clock does NOT stop for investigation—you must notify within 72 hours even with incomplete information

If Notification Delayed Beyond 72 Hours:

• You MUST provide reasons for the delay
• Delay must be justified (e.g., needed time to confirm scope, coordinate with law enforcement)
• Unjustified delays can result in fines

7.2 Which Supervisory Authority to Notify?

EU GDPR:

• Notify your lead supervisory authority (the authority in the EU member state where your main establishment is located)
• If you have no EU establishment but offer goods/services to EU residents: notify the authority where your EU representative is located
• If multiple authorities are relevant: your lead authority will coordinate with others

UK GDPR:

• Notify the Information Commissioner's Office (ICO) via their online reporting tool: https://ico.org.uk/for-organisations/report-a-breach/

Find your EU lead supervisory authority: https://edpb.europa.eu/about-edpb/about-edpb/members_en

7.3 Required Information (GDPR Article 33(3))

The notification must include:

1. Description of the breach:

   • Nature of the breach (unauthorized access, loss, alteration, disclosure, etc.)
   • Date/time of breach (or best estimate)
   • Date/time breach was discovered
   • How breach was discovered

2. Categories and approximate number of data subjects affected:

   • E.g., "approximately 5,000 customers located in EU"
   • E.g., "200 employees in Germany"

3. Categories and approximate number of personal data records affected:

   • E.g., "10,000 customer records containing names, email addresses, hashed passwords"
   • E.g., "500 records containing names, addresses, national ID numbers, bank account numbers"

4. Contact details of Data Protection Officer (DPO) or other contact:

   • Name, email, phone of DPO or privacy officer

5. Likely consequences of the breach:

   • Potential harm to data subjects (identity theft, financial fraud, discrimination, etc.)
   • Impact on business operations

6. Measures taken or proposed to address the breach:

   • Containment and mitigation actions
   • Measures to mitigate harm to data subjects (e.g., credit monitoring, password resets)
   • Measures to prevent recurrence

7.4 Phased Notification

If you don't have all information within 72 hours:

GDPR allows phased notification:

1. Initial Notification (within 72 hours): Provide what information you have, note that investigation is ongoing, commit to providing updates
2. Follow-Up Notification: Provide additional details as they become available (e.g., after forensics investigation completes)

Example initial notification language:

"We are writing to notify you of a personal data breach affecting approximately 5,000-10,000 EU data subjects. We discovered the breach on [DATE] and immediately began containment and investigation. At this time, we have confirmed that names and email addresses were accessed by an unauthorized party. We are conducting a full forensic investigation to determine the scope of the breach and whether additional data categories were affected. We will provide a follow-up notification within 7 days with additional details."

7.5 Notification Methods

EU GDPR:

• Check your lead supervisory authority's website for notification procedures
• Many authorities have online breach notification forms
• Some accept email or postal mail

UK ICO:

• Online form: https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/

Template Breach Notification to Supervisory Authority: See Section 14.1

---

8. Notification to Data Subjects

8.1 When to Notify Data Subjects

GDPR Article 34: Notify data subjects when the breach "is likely to result in a high risk to the rights and freedoms of natural persons."

High risk factors:

• [ ] Sensitive data (health, financial, SSN/national ID, biometric, children's data, employee data)
• [ ] Large-scale breach affecting many individuals
• [ ] Risk of identity theft, financial fraud, or physical harm
• [ ] Risk of discrimination, reputational damage, or loss of confidentiality
• [ ] Vulnerable populations (children, elderly, disabled, marginalized groups)

Exceptions (no need to notify data subjects if):

1. Strong encryption: Data was encrypted with state-of-the-art encryption and key not compromised
2. Subsequent measures: Controller took immediate measures ensuring high risk no longer likely
3. Disproportionate effort: Would require disproportionate effort (e.g., contact information unavailable) → Instead, make public communication

8.2 Timeline for Data Subject Notification

GDPR: "Without undue delay"—no specific timeline, but should be as soon as possible after confirming high risk

US State Laws: Vary by state—most require "without unreasonable delay" or within specific timeframes (e.g., 30-90 days)

8.3 Required Content (GDPR Article 34(2))

Data subject notification must include:

1. Description of the breach (in clear, plain language)

   • What happened?
   • When did it happen?
   • What data was affected?

2. Contact details of DPO or privacy team

   • How can individuals get more information?

3. Likely consequences of the breach

   • What risks do individuals face? (identity theft, fraud, spam, etc.)

4. Measures taken or proposed to address the breach

   • What are we doing to fix this?
   • What can individuals do to protect themselves? (change passwords, monitor accounts, enable MFA, etc.)

8.4 Notification Method

Direct notification preferred:

• [ ] Email (if email addresses available and not compromised)
• [ ] Postal mail (if email not available)
• [ ] SMS (if phone numbers available and appropriate)
• [ ] In-app notification (for logged-in users)

Public communication (if direct notification disproportionate):

• [ ] Website banner/notice
• [ ] Press release
• [ ] Paid advertisements
• [ ] Social media posts

Template Data Subject Notification Email: See Section 14.2

---

9. US State Breach Notification Requirements

9.1 Overview of State Laws

All 50 US states + DC, Puerto Rico, and US Virgin Islands have breach notification laws.

General Requirements:

• Notify affected residents "without unreasonable delay"
• Some states have specific timelines (e.g., 30, 45, 60, or 90 days)
• Most laws apply to computerized personal information (name + SSN, driver's license, financial account, health info, etc.)
• Some states also require notification to state attorney general and/or credit reporting agencies

9.2 When State Law Notification is Required

Trigger: Unauthorized acquisition of unencrypted personal information (or encrypted data where encryption key also compromised) that creates risk of harm

Personal Information (varies by state, but typically includes):

• Name + SSN
• Name + driver's license number
• Name + financial account/credit card + security code/PIN
• Username/email + password
• Health information
• Biometric data (in some states)

Safe Harbor (most states): If data was encrypted and key not compromised → no notification required

9.3 State Attorney General Notification

States requiring AG notification (examples):

• California: Notify AG if >500 CA residents affected
• Florida: Notify AG if >500 FL residents affected (within 30 days)
• New York: Notify AG without unreasonable delay
• Washington: Notify AG if >500 WA residents affected
• Vermont: Notify AG if any VT residents affected (without unreasonable delay)

Consult full state breach notification chart: https://iapp.org/resources/article/state-data-breach-notification-chart/

9.4 Credit Reporting Agency Notification

Requirement: Notify nationwide credit reporting agencies (Equifax, Experian, TransUnion) if breach affects:

• >1,000 individuals (in most states)
• Or if SSNs or financial account numbers compromised

What to Provide:

• Date of breach
• Approximate number of individuals affected
• Sample copy of notification sent to individuals

9.5 State Notification Timeline Reference

State	Notification Timeline	AG Notification Required?	Notes
California	Without unreasonable delay	Yes (if >500 affected)	Must notify AG electronically
New York	Without unreasonable delay	Yes	Must notify AG and offer credit monitoring if SSN affected
Texas	Without unreasonable delay	No	60-day timeline if using substitute notice
Florida	Within 30 days	Yes (if >500 affected)	Can extend up to 45 days with written request
Illinois	Without unreasonable delay	Yes	Must notify AG if >500 IL residents or >250 residents in single incident
Washington	Without unreasonable delay	Yes (if >500 affected)	Must notify AG before or at same time as individuals
Massachusetts	"As soon as practicable"	Yes	Must also notify Consumer Affairs and credit reporting agencies

Consult legal counsel for full state-by-state requirements.

---

10. CCPA/CPRA Breach Obligations

10.1 CCPA/CPRA and Breach Response

CCPA/CPRA does NOT change California's separate breach notification statute (Cal. Civ. Code § 1798.82).

However, CCPA/CPRA does require:

1. Reasonable Security Measures (CPRA § 1798.100(e)): Businesses must implement reasonable security to protect personal information
2. Duty to Notify Consumers of Unauthorized Access: Under Cal. Civ. Code § 1798.82, notify CA residents without unreasonable delay
3. Private Right of Action (CCPA § 1798.150): Consumers can sue for statutory damages ($100-$750 per consumer per incident) if breach results from business's failure to maintain reasonable security

10.2 California Breach Notification Requirements

Covered Data:

• Unencrypted personal information (name + SSN, driver's license, financial account, medical info, health insurance info, username + password, biometric)

Notification Timeline:

• "In the most expedient time possible and without unreasonable delay"

Notification to California AG:

• Required if >500 CA residents affected
• Must submit electronically via: https://oag.ca.gov/privacy/databreach/reporting

Content Requirements:

• [ ] What happened
• [ ] What information was involved
• [ ] What we're doing
• [ ] What you can do
• [ ] Contact information
• [ ] Date of breach (or estimated date)
• [ ] Date discovered

Free Credit Monitoring:

• Required for 12 months if SSN or driver's license compromised

10.3 CCPA Private Right of Action

Risk: If breach results from failure to maintain reasonable security, CA consumers can sue for $100-$750 per consumer per incident

Example: Breach affecting 10,000 CA consumers → potential liability of $1-7.5 million (plus attorneys' fees)

Mitigation:

• [ ] Implement reasonable security (encryption, access controls, MFA, patching, monitoring)
• [ ] Document security program and breach response efforts
• [ ] Offer credit monitoring and identity theft protection
• [ ] Consider cyber insurance

---

11. Communication and Media Response

11.1 Internal Communication

Employees:

• [ ] Brief employees on need-to-know basis
• [ ] Remind employees of confidentiality obligations
• [ ] Provide talking points for customer-facing teams (support, sales)
• [ ] Avoid speculation or blame

Board of Directors:

• [ ] Notify board immediately for high-severity breaches
• [ ] Provide regular updates on investigation and response
• [ ] Discuss potential financial, legal, and reputational impact

Investors:

• [ ] Notify investors if breach is material (significant financial impact, threatens business continuity)
• [ ] Coordinate with legal counsel on disclosure obligations

11.2 Customer Communication

Customer Support:

• [ ] Prepare FAQ for support teams
• [ ] Set up dedicated email/phone line for breach inquiries: [[email protected]] or [HOTLINE]
• [ ] Monitor social media for customer concerns
• [ ] Log all inquiries and responses

Customer Notification:

• [ ] Send notification email (see template in Section 14.2)
• [ ] Post FAQ on website
• [ ] Consider webinar or town hall for large breaches

11.3 Media and Public Relations

Media Inquiries:

• [ ] Designate single spokesperson (typically CEO or Communications Lead)
• [ ] Prepare media statement (see template in Section 14.3)
• [ ] Do NOT speculate or blame
• [ ] Be transparent, empathetic, and action-oriented

Proactive Media Outreach:

• [ ] Issue press release if breach is public or affects large number of individuals
• [ ] Coordinate with legal counsel on timing (after regulatory notification)

Website Notice:

• [ ] Post breach notice on homepage or dedicated breach response page
• [ ] Include FAQ, contact information, and resources for affected individuals

Sample Media Statement Template: See Section 14.3

---

12. Post-Incident Review and Remediation

12.1 Post-Incident Review (PIR)

Within 30 days of breach containment, conduct a post-incident review:

Attendees:

• Breach Response Team
• IT Security, Privacy, Legal, Executive Sponsor

Agenda:

1. What Happened: Timeline and root cause analysis
2. What Went Well: Effective response actions
3. What Went Wrong: Gaps, delays, miscommunications
4. Lessons Learned: Key takeaways
5. Action Items: Remediation and prevention measures

12.2 Remediation and Prevention

Technical Remediation:

• [ ] Patch vulnerabilities that enabled the breach
• [ ] Implement additional security controls (MFA, encryption, access controls, monitoring, EDR, SIEM)
• [ ] Conduct penetration testing and vulnerability assessments
• [ ] Review and update incident response playbooks

Policy and Process Remediation:

• [ ] Update data breach response plan
• [ ] Enhance employee security training (phishing, password hygiene, data handling)
• [ ] Review vendor security and DPAs
• [ ] Update Records of Processing Activities (ROPA)
• [ ] Conduct Data Protection Impact Assessment (DPIA) for high-risk processing

Organizational Remediation:

• [ ] Increase security budget and staffing
• [ ] Engage external security consultants
• [ ] Obtain or enhance cyber insurance coverage
• [ ] Consider appointing Data Protection Officer (DPO) or Chief Information Security Officer (CISO)

12.3 Follow-Up with Regulators

GDPR:

• [ ] Provide follow-up notification with complete information (if initial notification was incomplete)
• [ ] Respond to regulator inquiries and document requests
• [ ] Demonstrate remediation actions taken

US State AGs:

• [ ] Respond to any inquiries from state attorneys general
• [ ] Provide copies of consumer notifications and credit monitoring offers

---

13. Documentation and Recordkeeping

13.1 GDPR Article 33(5) Recordkeeping Requirement

GDPR requires controllers to document ALL personal data breaches, whether or not they were notified to the supervisory authority.

Records must include:

• [ ] Facts of the breach (what, when, how)
• [ ] Effects of the breach (data/individuals affected, potential harm)
• [ ] Remedial action taken

Purpose: Supervisory authorities can verify compliance with notification obligations.

13.2 Breach Incident Log

Maintain a comprehensive log for each breach:

Field	Information
Incident ID	[INCIDENT-YYYY-MM-DD-###]
Date Discovered	[DATE/TIME]
Date Occurred	[DATE/TIME or ESTIMATED]
How Discovered	[SIEM alert, employee report, customer complaint, etc.]
Type of Breach	[Unauthorized access, ransomware, lost device, etc.]
Root Cause	[Phishing, vulnerability, misconfiguration, insider, etc.]
Personal Data Affected	[List specific data categories]
Number of Individuals Affected	[Exact count or best estimate]
Jurisdictions	[EU, UK, CA, other US states, etc.]
Risk Level	[Low / Medium / High / Critical]
Supervisory Authority Notification	[Yes/No, Date, Which Authority]
Data Subject Notification	[Yes/No, Date, Method]
US State Notifications	[List states, dates]
Containment Actions	[Summary of technical measures]
Forensics Investigation	[Summary of findings, link to full report]
Post-Incident Review	[Date, key findings, action items]
Regulatory Inquiries	[Any follow-up from regulators]
Costs	[Forensics, legal, notification, credit monitoring, fines, etc.]

13.3 Retention Period

Retain breach records for:

• GDPR: Minimum 3 years (recommended 5+ years)
• CCPA: Minimum 2 years from date of breach
• US State Laws: Varies (typically 3-7 years)
• Cyber Insurance: Per policy requirements (often 7 years)
• Litigation Hold: Retain indefinitely if litigation pending or reasonably anticipated

---

14. Breach Notification Templates

14.1 Template: Notification to Supervisory Authority (GDPR Article 33)

Subject: Personal Data Breach Notification - [COMPANY NAME] - [DATE]

To: [Supervisory Authority Name] From: [Data Protection Officer Name, Email, Phone] Date: [Date] Incident Reference: [INCIDENT-YYYY-MM-DD-###]

---

1. Description of the Personal Data Breach

On [DATE], [COMPANY NAME] became aware of a personal data breach affecting personal data of data subjects located in the European Union.

Nature of Breach: [Describe breach—e.g., "Unauthorized access to customer database," "Ransomware encryption of employee records," "Accidental disclosure via misdirected email"]

Date of Breach: [DATE/TIME or ESTIMATED DATE/TIME] Date Discovered: [DATE/TIME] How Discovered: [E.g., "SIEM alert detected anomalous database queries," "External security researcher notified us," "Employee reported suspicious activity"]

---

2. Categories and Approximate Number of Data Subjects Affected

• Category of Data Subjects: [E.g., "Customers located in EU," "Employees based in Germany," "Website users"]
• Approximate Number: [E.g., "Approximately 5,000-7,000 EU data subjects" or "We are still investigating and will provide an updated estimate within 7 days"]

---

3. Categories and Approximate Number of Personal Data Records Affected

Personal Data Categories:

• [X] Names
• [X] Email addresses
• [X] Hashed passwords (bcrypt, 12 rounds)
• [X] Postal addresses
• [ ] Phone numbers
• [ ] National ID numbers / SSNs
• [ ] Financial account numbers
• [ ] Health information
• [ ] Biometric data
• [ ] Other: [SPECIFY]

Approximate Number of Records: [E.g., "10,000 customer records"]

Encryption Status:

• [ ] Data was encrypted at rest (AES-256) and encryption key was NOT compromised
• [ ] Data was encrypted at rest, but encryption key may have been compromised
• [X] Data was NOT encrypted at rest

---

4. Contact Details

Data Protection Officer (DPO): [NAME] [EMAIL] [PHONE]

Alternative Contact: [NAME, TITLE] [EMAIL] [PHONE]

---

5. Likely Consequences of the Breach

[Describe potential harm to data subjects, e.g.:]

"The breach involved names, email addresses, and hashed passwords. The likely consequences include:

• Risk of phishing attacks using compromised email addresses
• Risk of credential stuffing attacks if data subjects reused passwords on other sites
• Reputational harm and loss of trust

We assess the risk as [LOW / MEDIUM / HIGH] because [REASONING]."

---

6. Measures Taken or Proposed to Address the Breach

Immediate Containment Actions:

• [X] Isolated affected systems from network (Date: [DATE])
• [X] Revoked compromised credentials and forced password resets for all affected users (Date: [DATE])
• [X] Blocked malicious IP addresses (Date: [DATE])
• [X] Engaged external forensics firm [FIRM NAME] to investigate (Date: [DATE])

Measures to Mitigate Harm to Data Subjects:

• [X] Notified all affected data subjects on [DATE] with instructions to change passwords immediately
• [X] Enabled multi-factor authentication (MFA) for all users
• [X] Monitoring dark web and paste sites for leaked data

Measures to Prevent Recurrence:

• [ ] Patching vulnerability [CVE-XXXX-XXXXX] on all systems (Completion date: [DATE])
• [ ] Implementing enhanced monitoring and intrusion detection (Completion date: [DATE])
• [ ] Mandatory security awareness training for all employees (Completion date: [DATE])
• [ ] Third-party penetration testing (Scheduled: [DATE])

Ongoing Investigation: [If applicable:] "We are continuing our forensic investigation to determine the full scope of the breach. We will provide a follow-up notification with additional details by [DATE]."

---

7. Additional Information

[If applicable, include:]

• Whether breach was reported to law enforcement
• Whether breach involved a processor/sub-processor
• Any other relevant information

---

Signature:

[NAME] [TITLE - Data Protection Officer] [COMPANY NAME] [DATE]

---

14.2 Template: Notification to Data Subjects (GDPR Article 34)

Subject: Important Security Notice - Action Required

From: [COMPANY NAME] security@[COMPANY].com To: [CUSTOMER EMAIL] Date: [DATE]

---

Dear [CUSTOMER NAME],

We are writing to inform you of a security incident that may have affected your personal information.

What Happened

On [DATE], we became aware that an unauthorized party gained access to [DESCRIBE SYSTEM—e.g., "our customer database"]. We immediately launched an investigation and engaged a leading cybersecurity firm to help us understand the scope and impact of this incident.

What Information Was Involved

Our investigation determined that the following information may have been accessed:

• [X] Your name
• [X] Your email address
• [X] Your password (stored as a hashed value—not in plain text)
• [ ] Your postal address
• [ ] Your phone number
• [ ] Your payment information
• [ ] Other: [SPECIFY]

[If applicable:] We have no evidence at this time that your information has been misused.

What We Are Doing

We take the security of your information very seriously. We have taken the following actions:

1. Contained the incident and blocked unauthorized access
2. Engaged a leading forensics firm to investigate and determine the full scope
3. Notified law enforcement and regulatory authorities
4. Enhanced our security measures, including [multi-factor authentication, additional monitoring, patching vulnerabilities]
5. Reset your password as a precaution (you will be prompted to create a new password at next login)

What You Can Do

We recommend you take the following steps to protect yourself:

1. Change Your Password Immediately

   • Log in to your account and create a new, strong password
   • Use a unique password you haven't used elsewhere
   • Consider using a password manager

2. Enable Multi-Factor Authentication (MFA)

   • Go to [LINK TO MFA SETTINGS] to enable MFA for additional account security

3. Monitor Your Accounts

   • Watch for any suspicious activity on your accounts
   • Be cautious of phishing emails pretending to be from [COMPANY NAME]

4. Report Suspicious Activity

   • If you notice anything unusual, contact us immediately at [[email protected]]

[If offering credit monitoring:]

Free Credit Monitoring

We are offering [12/24] months of free credit monitoring and identity theft protection services through [PROVIDER]. To enroll, visit [ENROLLMENT LINK] and use enrollment code: [CODE]. This offer expires on [DATE].

For More Information

If you have questions or concerns, please contact us:

• Email: [[email protected]]
• Phone: [HOTLINE NUMBER] (Hours: [HOURS])
• Website: [BREACH FAQ PAGE URL]

We sincerely apologize for this incident and any concern it may cause. We are committed to protecting your information and have taken significant steps to enhance our security.

Sincerely,

[CEO/FOUNDER NAME] [TITLE] [COMPANY NAME]

---

14.3 Template: Media Statement

FOR IMMEDIATE RELEASE

[COMPANY NAME] Announces Security Incident and Actions Taken to Protect Customer Information

[CITY, STATE] – [DATE] – [COMPANY NAME] today announced that it recently became aware of a security incident involving unauthorized access to [DESCRIBE SYSTEM]. The company immediately launched an investigation, engaged a leading cybersecurity firm, and notified law enforcement and regulatory authorities.

What Happened

On [DATE], [COMPANY NAME] detected [DESCRIBE INCIDENT—e.g., "suspicious activity in our systems"]. We immediately began an investigation and determined that an unauthorized party gained access to [DESCRIBE SYSTEM] between [DATE RANGE]. We have no evidence at this time that customer information has been misused.

What Information Was Involved

The incident affected approximately [NUMBER] customers. The information involved includes [LIST DATA CATEGORIES—e.g., "names, email addresses, and hashed passwords"]. [If applicable:] "The incident did NOT involve [payment information, Social Security numbers, financial account numbers]."

Actions Taken

[COMPANY NAME] has taken immediate action to contain the incident and protect customer information:

• Contained the incident and blocked unauthorized access
• Engaged [FORENSICS FIRM] to conduct a comprehensive investigation
• Notified law enforcement and regulatory authorities, including [LIST AUTHORITIES]
• Enhanced security measures, including [multi-factor authentication, additional monitoring, patching vulnerabilities]
• Reset passwords for all affected customers as a precaution
• Notified all affected customers with instructions on how to protect themselves

Customer Support

[COMPANY NAME] is committed to supporting affected customers. We have established a dedicated hotline at [PHONE NUMBER] and email at [EMAIL] for customer inquiries. [If applicable:] "We are also offering [12/24] months of free credit monitoring and identity theft protection services."

Commitment to Security

"We take the security and privacy of customer information very seriously," said [CEO NAME], [CEO TITLE] of [COMPANY NAME]. "We sincerely apologize to our customers for this incident. We are conducting a thorough investigation and have enhanced our security measures to prevent this from happening again. We are committed to earning back the trust of our customers."

For More Information

Customers with questions can contact:

• Phone: [HOTLINE NUMBER]
• Email: [EMAIL]
• Website: [BREACH FAQ PAGE URL]

Media inquiries:

• [SPOKESPERSON NAME]
• Phone: [PHONE]
• Email: [EMAIL]

---

14.4 Template: Notification to State Attorney General (California Example)

Via California Attorney General's Data Breach Portal: https://oag.ca.gov/privacy/databreach/reporting

Business/Organization Name: [COMPANY NAME] Contact Person: [NAME, TITLE] Email: [EMAIL] Phone: [PHONE] Address: [ADDRESS]

---

1. Date of Breach: [DATE] (or estimated: [DATE RANGE])

2. Date Breach Discovered: [DATE]

3. Approximate Number of California Residents Affected: [NUMBER]

4. Type of Personal Information Involved:

• [X] Name + Social Security Number
• [X] Name + Driver's License Number
• [ ] Name + Financial Account Number
• [X] Name + Medical Information
• [ ] Name + Health Insurance Information
• [X] Username/Email + Password
• [ ] Biometric Information
• [ ] Other: [SPECIFY]

5. Description of Incident: [Provide brief description—e.g., "On [DATE], an unauthorized party gained access to our customer database through [METHOD]. The breach affected approximately [NUMBER] CA residents. We discovered the breach on [DATE] through [SIEM alert/external notification/etc.]. We immediately contained the incident, engaged forensics experts, and began notifying affected individuals."]

6. Notification to Affected Individuals:

• Date Notification Sent: [DATE]
• Method: [Email / Postal Mail / Both]
• Sample Notification Attached: [Yes]

7. Actions Taken:

• Contained incident and blocked unauthorized access
• Engaged external forensics firm
• Notified law enforcement
• Enhanced security measures (MFA, monitoring, patching)
• Offering [12/24] months free credit monitoring [if applicable]

8. Substitute Notice (if applicable): [ ] Not using substitute notice [ ] Using substitute notice because: [REASON]

---

Submitted By:

[NAME] [TITLE] [COMPANY NAME] [DATE]

Attachment: Sample notification sent to California residents

---

Customization Checklist

Before deploying this breach response plan, customize the following sections:

Pre-Incident Preparation:

• [ ] Fill in all [BRACKETED PLACEHOLDERS] with your company-specific information
• [ ] Identify and document your Incident Response Team (Section 1.1)
• [ ] Confirm 24/7 contact information for all team members (Section 1.3)
• [ ] Establish internal reporting channels and emergency hotline (Section 2.3)
• [ ] Identify your EU lead supervisory authority and UK ICO contact (Section 7.2)
• [ ] Pre-identify external forensics firms and establish contracts/retainers (Section 4.2)
• [ ] Determine which US states your customers/employees are located in (Section 9)
• [ ] Review cyber insurance policy and notification requirements
• [ ] Create dedicated breach response email/hotline (e.g., [email protected])
• [ ] Set up breach response war room (physical or virtual)
• [ ] Pre-draft notification templates and customize for your business (Section 14)

Testing and Training:

• [ ] Conduct tabletop exercises (at least annually)
• [ ] Test notification procedures (email systems, SMS, etc.)
• [ ] Train employees on breach detection and reporting
• [ ] Review and update plan annually (or after each breach)
• [ ] Document lessons learned from exercises and real incidents

Legal and Compliance:

• [ ] Review with legal counsel to ensure compliance with applicable laws
• [ ] Consult with cyber insurance carrier on notification procedures
• [ ] Coordinate with outside counsel on privilege and work product protections
• [ ] Confirm DPO designation (required for GDPR if processing large-scale sensitive data)
• [ ] Update Records of Processing Activities (ROPA) to reflect breach response procedures

---

FAQs

1. When does the 72-hour GDPR notification clock start?

The 72-hour clock starts when your organization becomes aware "with reasonable certainty" that a personal data breach has occurred. This means when IT security or management confirms that personal data was involved—not when you first detect a security anomaly. The clock does NOT stop for investigation; you must notify within 72 hours even if you don't have complete information (you can provide a phased notification).

2. What if we can't notify within 72 hours?

If you cannot notify within 72 hours, you MUST provide reasons for the delay in your notification to the supervisory authority. Unjustified delays can result in fines. The GDPR allows phased notification: provide what information you have within 72 hours and commit to providing updates as more details become available.

3. Do we have to notify data subjects for every breach?

No. GDPR requires notification to data subjects only when the breach "is likely to result in a high risk to the rights and freedoms of natural persons." Factors include: sensitive data, large-scale breach, children's data, identity theft risk, physical danger, etc. However, you must ALWAYS notify the supervisory authority (unless the breach is unlikely to result in ANY risk).

4. What if our data was encrypted—do we still have to notify?

If data was encrypted with strong encryption (AES-256) and the encryption key was NOT compromised, the breach is unlikely to result in risk, and notification may not be required. However, if the encryption key was also compromised (or encryption was weak), notification is required.

5. What are the penalties for failing to notify?

GDPR fines for notification failures (Article 33) can be up to €10 million or 2% of global annual revenue (whichever is higher). Fines for security failures (Article 32) can be up to €20 million or 4% of global revenue. US state laws vary, but CCPA allows private right of action for $100-$750 per consumer per incident, plus attorneys' fees.

6. Do we need to notify US state attorneys general?

Many US states require notification to the state attorney general if the breach affects a certain number of residents (often 500 or more). California, New York, Florida, Washington, and others have this requirement. Check the IAPP state breach notification chart for specific state requirements.

7. Should we notify law enforcement?

Notifying law enforcement (e.g., FBI, local police) is optional in most cases, but recommended for cybercrimes like ransomware, hacking, or insider theft. Law enforcement may request that you delay public notification to avoid interfering with their investigation.

8. What if our processor/vendor was breached?

If a processor (vendor) suffers a breach affecting your personal data, the processor must notify you without undue delay (typically within 24-48 hours per your Data Processing Agreement). YOU (as the controller) are responsible for notifying the supervisory authority and data subjects. Make sure your DPAs have clear breach notification obligations.

9. Do we need cyber insurance?

Cyber insurance is highly recommended. A good policy covers forensics costs, legal fees, regulatory fines, notification costs, credit monitoring, public relations, and business interruption. Policies typically range from $1 million to $10+ million in coverage. Be sure to notify your insurer immediately when a breach occurs.

10. How do we test our breach response plan?

Conduct tabletop exercises at least annually. Simulate a breach scenario (e.g., ransomware attack, lost laptop, vendor breach) and walk through your response procedures. Document gaps and update your plan. Consider engaging external consultants to run realistic simulations.

11. What records do we need to keep?

GDPR requires you to document ALL personal data breaches (even if not notified to supervisory authority) with facts, effects, and remedial actions. Retain breach records for at least 3 years (recommended 5+ years). Also maintain incident logs, forensics reports, notification records, and post-incident review notes.

12. What if we're not sure if it's a breach?

When in doubt, treat it as a breach and activate your response plan. It's better to over-respond and later determine it was a false alarm than to under-respond and miss the 72-hour notification window. Conduct a thorough investigation to confirm whether personal data was involved.

---

Common Mistakes to Avoid

1. Delaying Investigation: The 72-hour GDPR clock doesn't stop while you investigate. Begin your response immediately.

2. Taking Systems Offline Without Forensics Consultation: This can destroy critical evidence. Consult forensics experts before taking systems offline.

3. Not Preserving Logs: Ensure logs are captured and preserved (many systems overwrite logs after 30-90 days).

4. Assuming Encryption = No Notification: If the encryption key was also compromised, notification IS required.

5. Notifying Too Late: Don't wait for complete information—provide a phased notification within 72 hours.

6. Ignoring State Laws: US state laws vary widely. Don't assume federal law (which doesn't exist for general breaches) applies.

7. Blaming Employees or Vendors: Focus on fixing the problem, not assigning blame. Conduct blameless post-incident reviews.

8. Not Testing Your Plan: A plan that's never tested will fail when you need it most. Conduct regular tabletop exercises.

9. No Litigation Hold: Failing to preserve evidence can result in sanctions if litigation occurs.

10. Not Engaging Legal Counsel Early: Bring in counsel immediately to protect privilege and ensure compliance.

---

Next Steps

1. Customize This Template: Fill in all bracketed placeholders with your company information
2. Identify Your Incident Response Team: Assign roles and ensure 24/7 availability
3. Establish Reporting Channels: Set up [email protected] and emergency hotline
4. Pre-Draft Notifications: Customize templates in Section 14 for your business
5. Obtain Cyber Insurance: Get quotes from cyber insurance carriers
6. Engage Forensics Firm: Establish retainer agreements with forensics experts
7. Train Your Team: Conduct breach response training and tabletop exercises
8. Review with Legal Counsel: Have counsel review and approve this plan
9. Test Your Plan: Run a simulated breach exercise
10. Review Annually: Update this plan at least once per year

---

Related Resources

From Promise Legal:

• Privacy Policy Template - GDPR/CCPA-compliant privacy policy
• Data Processing Agreement (DPA) - GDPR Article 28 processor agreement
• Privacy Audit Template - Comprehensive GDPR/CCPA audit checklist
• Cookie Policy Template - Cookie consent and tracking compliance
• Data Security Guide - Security best practices for startups
• GDPR Compliance Guide - Complete GDPR compliance overview
• CCPA Compliance Guide - California privacy law guide

External Resources:

• EDPB Guidelines 9/2022 on Personal Data Breach Notification: https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf
• ICO Personal Data Breach Guide: https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/
• IAPP State Data Breach Notification Chart: https://iapp.org/resources/article/state-data-breach-notification-chart/
• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
• SANS Incident Response Guide: https://www.sans.org/white-papers/

---

Get Legal Help

Need help with breach response or data protection compliance?

Promise Legal helps startups navigate GDPR, CCPA, and breach notification requirements. We offer:

• Data breach response legal support (24/7 availability for clients)
• GDPR/CCPA compliance assessments
• Data Processing Agreement (DPA) drafting and negotiation
• Privacy policy and cookie policy drafting
• Regulatory notification assistance
• Incident response plan development and testing

Schedule a consultation or email us at [email protected].

---

Disclaimer: This template is provided for informational purposes only and does not constitute legal advice. Data breach notification laws are complex and vary by jurisdiction. You should consult with qualified legal counsel to ensure compliance with all applicable laws and to customize this plan for your specific circumstances. Promise Legal assumes no liability for any damages arising from use of this template.