As innovation in information technology continues to evolve, that means online criminals can also get more sophisticated with their attacks, and the number of cybersecurity incidents such as data breaches will keep going up.

Your organization’s state of preparedness for data breaches — how to prevent them, and how to respond to them — can mean the difference between maintaining a good business reputation and losing it. Your preparedness can also dictate the extent of the damage you take during a data breach and your ability to recover from one.

An organization can implement many information security controls to prevent and respond to a data breach. The tricky problem is that many data breaches go undetected for an extended period of time. A 2018 IBM study found that, on average, the time it takes to detect a data breach is 197 days. (Even worse is when a news report or notification from law enforcement is what brings a data breach to the company’s attention.) 

The bottom line: the longer it takes to stop a data breach, the worse the damage to your business and reputation. 

To help you respond effectively to a data breach, and to limit the effect of its damage to your business, we’ve compiled a list of advice on building a data breach incident response policy as well as this helpful template to help you get started.

What is a data breach incident response policy?

An incident response plan is one type of information security control that your organization can use to detect, stop, and recover from a cybersecurity incident. With a tried and tested incident response plan, your organization can assure that its methods are as effective as possible at finding and reducing external threats to your data.

Your data breach response plan not only specifies your methods of eliminating data security threats; it also details who will carry out these actions. This is your incident response team. 

The response team members should either have data protection and security training, or be an outsourced security team. Either way they’ll need to be capable of gathering breach data, analyzing it, and implementing the mitigation tactics to eliminate it. They will also need to implement public relations damage control procedures that include notifying outside sources like law enforcement or legal counsel, and the affected parties.

What are the key considerations for writing an incident response plan?

Your incident response plan should cover the following main points:

Stakeholder support

It’s imperative that you obtain senior management and stakeholder support for your incident response plan. They must understand the risks the organization is facing and the potential damage that can occur if systems are left as is. They also need to give the OK to recruit a capable staff for the response team. This may involve your CTO, CIO, head of Human Resources, and other relevant parties.

An inventory of sensitive data

Before planning your data breach response policy, it’s important to understand what sensitive information your company handles and who your affected individuals are. This will help in determining the appropriate response protocols and notification rules when unauthorized access happens.

Sensitive data that falls under the umbrella of data privacy includes, but isn’t limited to:

  • Financial information, such as credit card numbers and account information.
  • Personally identifiable information (PII) such as Social Security numbers and contact information like phone numbers and addresses.
  • Private health information (PHI) such as diagnoses, treatments, and patient records. 

Clear communication channels

Communication is key during a security incident. Your plan should specify the responsible parties, the chain of command, affected parties, and of course your communication channels for breach notification and updates. 

Simple, but effective

Your incident response plan should consist of detailed, actionable procedures, but leave enough flexibility in your plan so that it can be adapted to a variety of circumstances. Moreover, you should plan to improve and update your plan continuously as new insights are acquired. A good cadence to start is to update your plan every six months or so, unless your business model dictates something more frequent.


The best sign of an effective incident response plan is testing. Ethical hacking and similar penetration testing should be conducted to assess the effectiveness and timeliness of your incident response protocols.

How can I apply the SANS Institute’s six steps of incident response to data breaches?

The SANS Institute’s Incident Handlers Handbook identifies six steps that incident response teams should take to respond to and correct security incidents. Your data breach response plan should implement all of them.

1. Preparation

In this stage, you will analyze and solidify your security controls and notification requirements in the event of a data breach or similar cybersecurity incident. Prior to defining these controls, organizations should conduct a risk analysis and prioritize security risks by severity. Your team members should also undergo all the necessary training to be effective in their roles.

2. Identification

Your incident response team should be able to identify deviations in your information systems that indicate an actual or potential security incident, and distinguish those from normal deviations. When a true threat is identified, your team should note the evidence available, assign severity, and document everything they do so that these learnings can be used to prosecute offenders, as training for your team, and to prevent future incidents.

3. Containment

After a security incident is identified, the next step is containing it and preventing further damage. There should be both short-term and long-term containment procedures. Short-term containment examples include isolating a compromised network and rerouting traffic to a backup server. Long-term examples include rebuilding those infected systems and preparing them to be reintroduced to a production environment.

4. Eradication

Your incident response team next must remove the threat to assure that it can do no further damage. This will involve identifying malware files, analyzing them to identify areas to learn from the incident, and then, of course, removing it from the system. 

5. Recovery

Carefully consider the timeframe for your team to reintroduce a previously infected system or server. The team must be confident that the threat has been eliminated. This will involve testing and verifying system health, plus a period of monitoring to assure normal operation resumes unharmed.

6. Lessons Learned

One of the most important aspects of this process is your post-mortem review. This phase should take place no later than two weeks after an incident was resolved so it’s fresh in everyone’s mind. This process will allow you to improve documentation, adjust security protocols, and adapt your incident response procedures to better manage similar situations in the future. 

Support for Building a Security Breach Response Plan

To get started, the compliance experts at Reciprocity have come up with this helpful data breach response policy template to help you outline your own response policy, but ultimately the scope of your policy will depend on the nature of your business, the information systems you use, and the federal and state laws you must complying with. 

Businesses must often adhere to, and provide documentation for, multiple compliance standards. This can quickly become unmanageable and overwhelming, particularly when you’re simultaneously developing the preventative systems that will protect you against security incidents. ZenGRC can help!

ZenGRC is a governance, risk management, and compliance platform that enables businesses to automate the self-auditing process necessary to document security controls and prepare for formal compliance audits. 

Zen’s easy-to-use dashboard provides an integrated view of your compliance stance across multiple frameworks, such as HIPAA, NIST, SOX, or GDPR. It shows you where gaps exist in your documentation and processes, and how to fill them. 

Worry-free compliance and incident response planning is the Zen way! Learn how ZenGRC can help you ease the burden of incident response planning by booking a demo today. Plus, don’t forget to download our handy incident response template here.