Data breach: what to do in the first 72 hours

2018 has been a record year for publicly known data breaches. Facebook, British Airways, Marriott - large companies with serious security resources found themselves in situations where user data became accessible to third parties. Since May, GDPR has required notifying the regulator within 72 hours of discovering an incident.

All of this makes breach response a practically urgent question for any company that stores personal data. And most companies are not ready for it.

Where the response typically breaks down

The first hours after discovering an incident are the most important and the most chaotic. Typical problems I observe:

No clarity on who makes decisions. Technical staff have found a potential incident. Should leadership be notified immediately? Legal? PR? Who has the authority to declare an incident and activate the response? Without an answer to this question, hours are lost.

No understanding of scope. What exactly was exposed? Whose data? How many records? This requires a technical investigation that needs a defined procedure.

Communication runs ahead of understanding. Panic starts internally, rumours spread across the company, someone calls clients with unverified information. All of this creates additional damage.

Evidence is not preserved. By initiating recovery actions, the team may destroy the logs and traces needed for investigation.

What needs to be done before an incident

Incident response is not something invented in the moment of the incident. It is a process developed in advance and tested.

The minimum required:

• define who is on the response team and who has authority to make key decisions;
• document what data is stored, where, and through which channels it could be compromised;
• prepare communication templates for different scenarios - for the regulator, for users, for the press;
• identify which external partners to contact immediately in the event of an incident;
• verify that logs are retained long enough to support an investigation.

72 hours under GDPR: what that means in practice

72 hours is not much without a ready procedure. In that time you need to: confirm the incident actually happened, assess its scope, decide whether to notify the regulator, and prepare and send the notification.

An important detail: the notification must contain specific information - categories and approximate number of affected individuals, contact details of the data protection officer, likely consequences, and measures taken. This requires understanding the incident, not just the fact of its discovery.

A practical readiness check

1. Do we have a documented response plan for a data breach incident?
2. Does everyone in the plan know their role?
3. When did we last verify the plan works - even in a tabletop exercise format?
4. How long would it realistically take us to determine what data was compromised?
5. Do we have the regulator's contact details and ready notification templates?

An incident does not happen on schedule. But readiness for one is a process built in advance.