Data Privacy
A data incident is the wrong time to figure out your response process. The decisions that need to be made quickly — who to notify, what to preserve, whether to involve law enforcement — require clear thinking that pressure destroys. The businesses that handle incidents well are the ones that worked through these questions before they needed the answers.
The first hour
Contain before you investigate. If a system or account is compromised, the first priority is stopping the bleeding — revoking access, changing credentials, isolating affected systems — before spending time understanding what happened. Document everything you do in real time. You will need this record later.
Who needs to know
Three categories: internal (your team, leadership), external (affected customers, vendors), and regulatory (if applicable to your jurisdiction and the nature of the data). The order matters: internal first, then external, then regulatory — but in some jurisdictions regulatory notification has a deadline that compresses this sequence. Know your obligations before you need them. Consult an attorney for your specific situation.
What to preserve
Do not delete anything before documenting it. Logs, error messages, access records, communications — preserve everything related to the incident before making any changes to the affected systems. This is both for your own investigation and for any external review that might follow.
After the incident
A post-incident review is not optional. Within a week of resolution, document what happened, how it was detected, how it was contained, and what would have prevented it. The review is not a blame exercise — it is how you avoid the same incident twice.