
What Should You Do Within the First 24 Hours of a Data Breach?
Key Takeaways
- The first hour of a data breach is decisive: your team must verify the incident and isolate affected systems before locking down accounts before the attacker deepens their foothold.
- Never reset credentials on a device you suspect is still infected with infostealer malware; doing so hands the attacker the new password. Clean the device first.
- Forensic evidence is fragile. Capture logs and disk images before you begin any remediation or you may destroy the trail regulators and insurers will rely on.
- US organizations face a web of overlapping notification obligations including CIRCIA, SEC, HIPAA, PCI DSS and state breach laws, some with deadlines as short as 24 hours.
- Avoid the costliest mistakes including: wiping systems prematurely, delaying notifications, communicating over potentially compromised channels and going public before confirming the facts.
- A managed detection and response (MDR) partner with an established retainer can dramatically compress the time between discovery and containment.
Your security operations center just flagged an alert you can’t dismiss. Encrypted traffic is moving to an unfamiliar external IP or a ransom note appeared on a file server. You don’t know the full scope yet, but you know this is real.
What you do in the next 24 hours will determine whether this becomes a manageable incident or a category-five crisis.
This article gives IT leaders a time-boxed playbook for the first 24 hours of a data breach. You’ll learn what to do and why the sequence matters. It also maps the U.S. and international notification requirements that start counting down the moment you confirm an incident and it covers the mistakes that turn a bad situation into something much worse.
What Is a Data Breach?
A data breach occurs when an unauthorized party accesses or exposes sensitive information your organization is responsible for protecting. That definition spans a wide range of events, including:
- A ransomware actor exfiltrating customer records
- An employee emailing a spreadsheet of Social Security numbers to the wrong address
- A misconfigured cloud storage bucket exposing health data to the public internet
Not every breach involves a sophisticated attacker. Some of the most consequential incidents in recent years have stemmed from unpatched vulnerabilities or weak credentials.
Data Breach vs. Security Incident: Know the Difference
Every data breach is a security incident, but not every security incident is a data breach. A distributed denial-of-service (DDoS) attack that takes your website offline or a malware infection that is contained before data is accessed, is an incident without necessarily being a breach.
The distinction matters for two reasons. First, regulatory notification obligations are generally triggered by confirmed or suspected unauthorized access to personal data, not by every security event. Second, the response playbook differs: a breach demands immediate evidence preservation and legal engagement that a pure availability incident doesn’t require to the same degree.
When you’re mid-incident and uncertain, treat it as a breach until forensics establishes otherwise. The cost of over-responding to a non-breach is manageable. The cost of under-responding to an actual breach is not.
Why Do the First 24 Hours After a Data Breach Matter So Much?
Attackers move fast. In many ransomware cases, threat actors have been inside a network for weeks before detonating their payload, but once discovery happens, the clock shifts in your favor only if you act decisively. Every minute of uncontrolled access means more data exfiltrated and greater leverage handed to the attacker.
Your reporting obligations begin almost immediately. The Cyber Incident Reporting for Critical Infrastructure (CIRCIA) has a 72-hour reporting window that begins when the incident is reasonably believed to have occurred. The SEC’s materiality determination process starts the moment your executives are aware. State breach notification statutes in California, New York and dozens of other states often clock from discovery, not from confirmation. Delay costs you time you don’t have.
Forensic evidence degrades rapidly. Volatile memory and overwritten logs vanish within hours. If your team begins remediation before capturing forensic images, you may destroy the only evidence that tells you what data was taken and how the attacker moved through the environment. That gap will hurt you in regulatory inquiries and any litigation that follows.
What to Do in the First 24 Hours After a Data Breach: A Step-by-Step Checklist
The checklist below is organized into three time windows. Treat the windows as guardrails, not rigid gates; some actions will overlap and some will depend on your specific environment. The sequence matters more than the exact timing.
Time-sensitive response overview:
| Time Window | Priority | Key Actions |
|---|---|---|
| Hour 0 to 1 | Confirm and Contain |
|
| Hour 1 to 6 | Preserve and Assemble |
|
| Hour 6 to 24 | Notify and Communicate |
|
Hour 0 to 1: Confirm and Contain
The first task is verification. A single alert or a panicked call from an employee isn’t confirmation of a breach. Pull the corroborating evidence, including: SIEM logs, endpoint detection alerts, firewall traffic and authentication records. Confirm you’re dealing with unauthorized access, not a false positive or misconfiguration.
Verify then isolate. Remove the affected systems from the network, but don’t power them off. Shutting down a compromised machine destroys volatile memory containing active processes and potentially the encryption keys needed to recover data. Isolate through network segmentation or by pulling the network cable, not the power cord.
Lock down accounts and access paths. Disable compromised credentials and suspend VPN access for affected users. Here is the critical nuance: if you suspect the device was compromised by infostealer malware, resetting the password on that still-infected device hands the attacker the new credential the moment it’s typed. Clean the device before resetting credentials.
Hour 1 to 6: Preserve Evidence and Assemble the Team
Before anyone begins remediation, capture forensic images of affected systems and pull every relevant log you can reach. This process should include endpoint and authentication logs, network flow data, cloud audit trails and any SIEM correlation rules that fired. Document timestamps and chain-of-custody information. If your team doesn’t have forensic imaging capability in-house, this is the moment to call your retained incident response team.
Also activate your internal stakeholders, which may include:
- Chief Information Security Officer (CISO)
- Senior IT lead
- Legal counsel
- Cyber insurance carrier’s breach response line
- Relevant department heads.
If you don’t have an incident response retainer in place, your insurer may be able to connect you with a reliable vendor. Red River’s MDR and incident response services are designed to quickly add value in these instances.
Begin scoping the incident. By now, you should be asking:
- Which systems are affected and what data did they contain?
- Is there evidence of exfiltration or is this a ransomware encryption event without confirmed data theft?
- What user accounts were active during the window?
- How did the attacker get in and how long have they had access?
- Have backups been touched or compromised?
- Are any third-party vendors or partners affected?
The answers to these questions determine the scope of your notification obligations and set the boundaries of your forensic investigation. Document what you know or suspect and flag what still needs confirmation. That record becomes the foundation for the next phase: engaging legal counsel and starting your regulatory clocks.
Hour 6 to 24: Engage Legal, Notify Leadership and Start the Reporting Clocks
By hour six you should have a preliminary scope assessment and a legal team briefed on what you know. Legal counsel should map your notification obligations across every applicable framework. That means federal and state rules for every jurisdiction affected, plus any contractual notification clauses in your customer or partner agreements.
Brief your executive leadership. Your CEO, general counsel and board (if public) need a factual summary of what’s known, what’s unknown and what actions are underway. Don’t speculate about attribution or scope until forensics supports it. Have your communications team draft holding statements for internal staff and, if necessary, external stakeholders, but don’t release anything that isn’t verified.
Next, start all the necessary regulatory clocks. File or prepare the required filings within 72 hours. Document when the clock started and any other information about the breach. Regulators consistently treat timely, good-faith notifications more favorably than delayed notification with a complete picture.
What Are the Data Breach Notification Requirements and Deadlines (US and Beyond)?
U.S. organizations face a complex grid of overlapping notification obligations. The table below covers the primary frameworks companies should generally follow. Deadlines and applicability thresholds may change, so verify your current requirements with legal counsel before filing.
| Rule | Applies To | Deadline |
|---|---|---|
| GDPR | EU personal data of any resident, regardless of where the company is headquartered | 72 hours to the supervisory authority after becoming aware of the breach |
| CIRCIA | US covered critical-infrastructure entities (as defined by CISA sector designations) | 72 hours for a covered cyber incident; 24 hours for a ransom payment. Verify current final rule status with CISA before publishing. |
| SEC | US public companies subject to SEC reporting requirements | Material incident disclosed on Form 8-K within approximately 4 business days of determining materiality |
| HIPAA | US covered entities and business associates handling protected health information | Without unreasonable delay, no later than 60 days to affected individuals; annual report to HHS if fewer than 500 affected |
| PCI DSS | Any entity that stores, processes or transmits cardholder data | Notify your acquiring bank and the relevant card brands promptly; timelines are contract-driven |
| U.S. State Laws | Residents’ personal data; 50 states plus DC, Puerto Rico and Guam each have statutes | Varies by state; many require notification without unreasonable delay or within 30 to 72 hours of discovery |
On the state side, all 50 states plus DC, Puerto Rico, Guam and the US Virgin Islands now have breach notification statutes. California’s SB 446, which took effect January 1, 2026, now requires notification to affected residents within 30 days of discovery — among the strictest deadlines in the country. New York’s SHIELD Act was amended in December 2024 and now carries the same 30-day deadline from discovery. Your legal team will need to map the breach to applicable state laws based on where your customers and employees reside.
CIRCIA, administered by the Cybersecurity and Infrastructure Security Agency (CISA), applies to covered critical-infrastructure entities across 16 designated sectors including defense, energy, healthcare, financial services and transportation. If your organization operates in one of these sectors, your 72-hour clock starts when you have reasonable belief a covered cyber incident occurred. Verify the final rule’s current scope with CISA directly.
For SEC-reporting companies, the 4-business-day filing window begins from your materiality determination, not from discovery. Materiality means the incident is significant enough that a reasonable investor would consider it important. Regulators have made clear they expect that determination to happen promptly and in good faith. The SEC has already penalized companies for dragging it out.
What Mistakes Make Data Breaches Worse?

The breach itself is the first crisis, but how the organization responds often creates a second problem further compounding the issue.
Here are five mistakes that consistently make breaches worse.
1. Wiping Systems Before Forensic Capture
The instinct to immediately clean infected systems is understandable, but it destroys evidence. Forensic analysis of compromised endpoints tells you how the attacker got in, how long they were there, what they accessed and where they moved. Without it, you can’t scope the breach accurately or prevent the same attack vector from being used again.
2. Resetting Credentials on an Infected Device
Some malware was specifically designed to capture credentials as they’re entered. If a keylogger or credential-harvesting tool is still active on a device, resetting the password hands the attacker the replacement. Clean the device, confirm it’s clear, then reset credentials from a clear system.
3. Communicating Over Potentially Compromised Channels
If an attacker has access to your email system, they may be reading your incident response communications in real-time. Establish an out-of-band channel in the first hour: a separate messaging platform, personal email addresses or phone calls for sensitive coordination. Don’t discuss attacker TTPs (tactics, techniques and procedures), negotiation strategy or legal exposure over channels you can’t verify as clean.
4. Delaying Notification to Wait for Complete Information
Regulators understand that breach investigations take time. What they don’t accept is using that as justification for delaying notification. Most frameworks allow you to notify with the information you have and supplement it later. Filing a timely notification that says there’s an ongoing investigation is perceived as far better than a late notification with a more complete picture of what happened.
5. Going Public with Unverified Details
Preliminary scope assessments are frequently wrong. The initial impression is often that fewer systems or records are affected than the full investigation reveals. If you communicate publicly with numbers that turn out to be understated, you’ve created a second news cycle and potential regulatory exposure. Communicate what you know with appropriate qualification and resist pressure to provide specifics you can’t yet verify.
How Do You Stop a Data Breach from Spreading?
Containment should be a parallel track running in tandem with the investigation. While forensics teams are busy capturing evidence, operations and security staff should execute network segmentation to restrict lateral movement. Be sure to disable any accounts the attacker might use, revoke active tokens and certificates associated with the compromised systems and block any compromised IP addresses at the firewall and endpoint level.
Aggressively monitor the network during and after containment. Attackers frequently have more access points than the one that was detected first. You may close the door they came through while they’re still inside through a second entry point, which lends itself to a false sense of security. Your MDR platform or security operations center should run elevated monitoring across all network segments, not just the ones confirmed affected by the breach.
Also, restore from verified clean backups only after confirming they’re uncompromised. Ransomware operators frequently target backup infrastructure specifically to eliminate your recovery options.
What Should Organizations Remember After a Data Breach?
The first 24 hours of a data breach won’t solve the problem, but you can limit the damage and lay the foundation that investigators and insurers will rely on in the weeks that follow.
The organizations that handle breaches well aren’t necessarily the ones with the most sophisticated environments. They’re the ones that planned and prepared for this scenario before it happened.
Red River’s incident response and MDR services are built to support IT leaders at exactly this moment with rapid containment, forensic-grade evidence preservation, regulatory guidance and sustained monitoring throughout the recovery phase. If your team is mid-incident or wants to build a retainer relationship before one occurs, contact us to learn more about how we support organizations from initial alert through full remediation.
Frequently Asked Questions
written by
Corrin Jones
Corrin Jones is the Director of Digital Demand Generation. With over ten years of experience, she specializes in creating content and executing campaigns to drive growth and revenue. Connect with Corrin on LinkedIn.
