Category: Incident Response
Applies to: IR Teams, Legal, Compliance, Management
Last reviewed: 2025

Overview

This playbook covers response to confirmed or suspected unauthorized access to sensitive data. Data breach incidents have legal, regulatory, and reputational consequences. Involve legal and compliance teams early. Actions must be documented carefully for regulatory notification decisions.

Phase 1 — Detection & Initial Assessment

Goal: Confirm whether a data breach has occurred and what data may be affected.

  • ☐ Identify the trigger: DLP alert, SIEM detection, third-party notification, user report
  • ☐ Determine what systems or data stores were potentially accessed
  • ☐ Classify the data type potentially involved:
  • PII (names, emails, addresses, dates of birth)
  • Financial data (card numbers, bank details)
  • Health data (PHI under HIPAA)
  • Authentication data (passwords, tokens, API keys)
  • Intellectual property / confidential business data
  • ☐ Confirm whether access was unauthorized (vs. misconfiguration or internal)
  • ☐ Establish timeline: when did the exposure begin? When was it discovered?
  • ☐ Immediately notify: IR Lead, Legal, Compliance/DPO, Management
  • ☐ Open a confidential incident record — treat all communications as privileged

Phase 2 — Containment

Goal: Stop ongoing access and prevent further data exposure.

  • ☐ Revoke or rotate exposed credentials, API keys, and access tokens immediately
  • ☐ Disable compromised accounts
  • ☐ Block attacker IP addresses and C2 indicators at network perimeter
  • ☐ Remove exposed data from public access if caused by misconfiguration
  • ☐ Isolate affected systems if active compromise is confirmed
  • ☐ Preserve logs and evidence before any remediation that could overwrite them
  • ☐ Disable or restrict the specific access path used (API, storage bucket, service account)
  • ☐ Notify cloud provider / SaaS vendor if their platform is involved

Phase 3 — Scope & Impact Analysis

Goal: Determine exactly what data was accessed and by whom.

  • ☐ Review access logs for the affected data store (database, S3 bucket, file share, API)
  • ☐ Identify all records, tables, or files that were accessed or exfiltrated
  • ☐ Estimate number of individuals affected
  • ☐ Determine attacker identity if possible (external threat actor, insider, accidental)
  • ☐ Review data classification — was the accessed data encrypted at rest?
  • ☐ Check for data exfiltration indicators: large downloads, API bulk queries, email forwarding
  • ☐ Map affected individuals to jurisdiction (GDPR, CCPA, HIPAA, etc.)
  • ☐ Document all findings with evidence — this feeds the regulatory notification decision

Phase 4 — Legal & Regulatory Notification Assessment

Goal: Determine notification obligations and meet deadlines.

  • ☐ Brief Legal and DPO/Compliance with full scope findings
  • ☐ Assess notification requirements by jurisdiction:
  • GDPR: 72 hours to supervisory authority if risk to individuals
  • HIPAA: 60 days to HHS; media notification for breaches >500 in a state
  • CCPA / US State laws: Varies by state — consult Legal
  • ☐ Determine if affected individuals must be notified
  • ☐ Draft regulatory notification with Legal review
  • ☐ Prepare individual notification letters (plain language, what happened, what to do)
  • ☐ Document the decision not to notify if that is the conclusion (with rationale)

Phase 5 — Eradication & Recovery

  • ☐ Patch or remediate the vulnerability or misconfiguration that enabled access
  • ☐ Re-audit access controls on all sensitive data stores
  • ☐ Rotate all secrets and credentials in affected systems
  • ☐ Enable enhanced monitoring and alerting on affected systems
  • ☐ Verify no backdoors or persistence left by attacker

Phase 6 — Post-Incident Review

  • ☐ Full incident timeline: initial exposure → detection → containment → notification
  • ☐ Root cause analysis: how was the data exposed?
  • ☐ Review data classification and access control policies
  • ☐ Identify gaps in DLP, CASB, or monitoring coverage
  • ☐ Update data handling procedures and security controls
  • ☐ Conduct lessons-learned session with all stakeholders
  • ☐ Submit final report to management and legal

Notification Timeline Reference

Regulation Authority Notification Individual Notification GDPR 72 hours Without undue delay if high risk HIPAA 60 days (HHS) 60 days CCPA N/A Expedient / reasonable time NIS2 (EU) 24h early warning, 72h full Case by case

⚠️ All breach-related communications should be treated as legally privileged and routed through Legal counsel. Do not share breach details externally without Legal approval.