Data Breach Response Guide: What to Do in the First 72 Hours

Last updated: 2026-04-05 — ComplianceStack Editorial Team

A data breach doesn't have to be catastrophic — but a botched response almost always is. Regulators look at two things: what happened, and what you did about it. Organizations that respond quickly, document thoroughly, and communicate proactively almost always fare better than those that delay or minimize. This guide covers what to do in the first 72 hours and beyond.

Immediate Response: Hours 0–24

Hour 1: Contain and assess
- Convene your incident response team (IT security, legal, compliance, communications)
- Isolate affected systems to prevent further unauthorized access
- Preserve evidence — do NOT delete logs, wipe devices, or alter system states
- Document everything from this moment: timestamps, who did what, what was found

Hours 1–4: Initial scoping
- What data was accessed or exfiltrated? What types? Whose data?
- Is the incident ongoing or contained?
- What was the attack vector?
- What systems are affected?

Hours 4–24: Legal and regulatory assessment
- Engage outside legal counsel experienced in breach response
- Determine applicable regulations (HIPAA, GDPR, state laws) based on data types and affected individuals' locations
- Determine notification obligation timelines
- Engage a forensic investigation firm if needed

GDPR note: Your 72-hour notification clock to your lead supervisory authority starts when you have reasonable certainty that a breach has occurred — not when investigation is complete. Notify with available information and supplement later.

Notification Requirements by Regulation

HIPAA (US healthcare):
- Notify HHS: Within 60 days of discovery for breaches affecting 500+ individuals (immediate web posting); annual report for <500
- Notify affected individuals: Within 60 days of discovery
- Notify media: For breaches affecting 500+ in a state or jurisdiction, notify prominent media outlets
- Business Associates must notify Covered Entities 'without unreasonable delay' and within 60 days

GDPR (EU data):
- Notify supervisory authority: Within 72 hours of becoming aware (partial notification acceptable)
- Notify affected individuals: Without undue delay if breach is likely to result in high risk
- No notification to individuals required if data was encrypted and key not compromised

US State Laws (as of 2026):
- All 50 states have data breach notification laws
- Timelines range from 'expedient' to 45 days (California) to 72 hours (New York for financial institutions under NYDFS)
- Most require notifying the state attorney general and/or relevant regulators
- Some states (NY SHIELD Act, CA CPRA) have expanded the definition of personal information

CCPA/CPRA: Allows private right of action for breaches of certain California residents' personal information. Statutory damages of $100–$750 per consumer per incident.

Documentation: What You Must Capture

Breach documentation serves two purposes: legal defense and regulatory response. Start documenting immediately and never stop until the incident is fully closed.

During the incident:
- Incident timeline (all discovery, response, and remediation actions with timestamps)
- Who was notified internally and when
- Systems affected and data types involved
- Scope of individuals affected (count, categories of data)
- Root cause analysis (preliminary, then updated)
- Containment and remediation actions taken

For regulatory submissions:
- HHS HIPAA breach report (via HHS breach portal)
- GDPR supervisory authority notification (Form varies by country)
- State AG notification letters
- Individual notification letters (retain copies)

Preserving evidence:
- Litigation hold for all relevant documents, emails, and logs
- Forensic images of affected systems before remediation
- Vendor forensic report (if external forensics engaged)

Post-incident:
- Root cause report
- Remediation steps completed with dates
- Compliance monitor reports (if required under a resolution agreement)
- Lessons learned documentation for future prevention

Reducing Penalties: Factors Regulators Consider

Both HHS and GDPR supervisory authorities consider similar factors when determining penalty severity:

Factors that reduce penalties:
- Prompt self-reporting (before regulators discover through other means)
- Rapid containment and remediation
- No prior violations or enforcement actions
- Cooperation throughout the investigation
- Existing compliance program before the breach
- Low harm to affected individuals (breach was quickly contained, data misuse limited)

Factors that increase penalties:
- Delayed reporting
- Evidence of willful neglect
- Prior violations for similar issues
- Large number of individuals affected
- Sensitive data categories (health data, financial data, children's data)
- Failure to implement basic security measures (no encryption, no access controls)
- Inadequate security despite known risks

Practical implication: Organizations that invest in compliance programs before a breach — and can demonstrate this to regulators — consistently receive better outcomes. A documented risk analysis, training records, and BAA inventory demonstrate good faith.

More Resources

• Framework Education Hub
• HIPAA for Dental Practices
• HIPAA for Mental Health Providers
• GDPR for SaaS Companies
• HIPAA Penalty Tiers
• GDPR Fines Overview
• Free 5-Minute Compliance Quiz
• Regulatory Deadline Tracker
• HIPAA Risk Calculator
• Find a Compliance Consultant