Data Breach Incident Response in 2024: 5-Step Methodology

Organizations that have an incident response strategy detect data breaches 54 days faster than those without.¹

Building a data breach incident response team and plan can help organizations maintain strong network visibility, enabling them to identify breaches and insider threats quickly while preventing cybersecurity risks that may cause security incidents. 

IT teams and security leaders need to describe how an organization will respond in the case of a data breach. Thus, this article covers what data breach incident response is and how organizations can establish a proactive plan for limiting and managing the impact of a breach.

What is data breach incident response?

A data breach incident response (also known as cybersecurity incident response) refers to an organization’s procedures and technologies (e.g. incident response (IR) tools) for recognizing and reacting to security breaches. A detailed data breach incident response plan that leverages incident response automation may allow cybersecurity specialists to mitigate or prevent damage.

Why is data breach incident response important?

Network security statistics show that the average cost of a data breach in the U.S. was ~$9 million as of 2023, which creates a significant financial risk for organizations.²

The purpose of data breach incident response is to prevent attacks before they emerge while also minimizing the expense and commercial interruption caused by any intrusions that occur.

Organizations can establish incident response methods and technology in a formalized incident response plan (IRP) that outlines how most common cyber attack vectors should be managed. This can help their cybersecurity teams restore impacted systems more quickly, and lower the costs associated with these threats.

It was discovered that organizations with incident response teams and frequently evaluated incident response plans had an average data breach cost of ~$2.5 million less than those without incident response teams and IRPs.³

Figure: The data breach IR strategy saved 54 days in detecting and controlling a breach

Source: IBM⁴

Using a dual strategy of building an IR team and testing an IR plan resulted in a shorter time of 252 days to identify and control a data breach, rather than 306 days with neither approach, an impact of 54 days (or 19.4%).⁵

What are security incidents?

A security incident is any cyber or physical breach that jeopardizes the security, integrity, or accessibility of an organization’s information technology networks. Security incidents may originate from planned attacks by hackers, unauthorized users, or unintentional breaches of security rules by registered users.

Read more: Incident management.

A few of the most typical security events are:

• Ransomware
• Phishing or whaling (check: phishing vs whaling)
• Social engineering
• Insider threats
• DDoS attacks
• Supply chain attacks

Read more: Network security statistics by attack types, most common cyber attack vectors.

Some security incident examples are:

Example 1: breaches caused by human error

• Loss of personal data maintained by the University on an employee’s computer.
• Unintentionally releasing personal data to the wrong recipient (e.g., sending a message to the wrong person).

Example 2: breach caused by malicious activity

• Breaching into a company’s email accounts, software, or databases containing personal data.
• Scamming employees into publishing sensitive information, and unauthorized or fraudulent database use.

Example 3: breaches caused by unpredictable events

• Unexpected incidents (e.g. data breaches by subcontractors or cloud service providers that handle personal information on behalf of a company).

How does data breach incident response work?

Figure: Data breach incident response plan steps

A data breach incident response plan may be carried out in 5 phases. An organization can establish a computer security incident response team (CSIRT) consisting of interest groups from the organization, including the chief information officer (CIO), compliance manager, and IT employees, plus members from managerial positions, legal, HR, and governmental compliance to execute the 5 phases of the plan.

A data breach incident response plan typically covers:

• Security solutions (software, hardware, and other technologies) that will be implemented throughout the company.
• A business plan outlines steps for restoring important impacted systems and data in the case of an incident.
• A data breach incident response method that spells out the particular procedures that need to be performed at each stage of the incident response process, and by whom.
• Guidelines for reporting incidents and gathering information for post-examination (e.g. data compliance). 

Data breach incident response plan: 5-step methodology

Figure: Data breach incident response plan flowchart – part A

1. Phase 1: reporting

1.1 Steps to report a data breach

If any employee notices an incident or potential data breach, they need to report it immediately.

To report a potential incident,  employees should: 

a) Fill out the data breach report form in Schedule 1.

b) Send a copy to their area manager via email or in person. 

c) Ensure the incident is private excluding disclosures required by this plan. 

After receiving an incident report, the area manager needs to immediately:

a) Take steps to mitigate the breach, eliminate negative effects, and maintain evidence.

b) Notify the manager of compliance with the incident and provide a copy of the completed report.

c) Ensure the incident is private excluding for disclosures required by this plan.

1.2 Method for minimizing data breaches and reducing impact

The area manager may perform quick steps to control the breach and mitigate the impact, including requesting support from the appropriate departments or third-party vendors as needed.

If the data breach contains electronic records stored on an information and communications technology (ICT) system the area manager can:

a) Identify the source of the data breach.

b) Shut down the affected system, program, or database. 

c) Reset log-in credentials and passwords for infected devices, systems, or networks.

d) Isolate any IoT devices with vulnerabilities.

e) Implement the data breach incident response plan.

If the data breach includes the loss of a device or physical files the area manager can:

a) Disable the lost device remotely. 

b) Contact necessary authorities to search for the location of the loss (e.g. the airline authority if lost on a plane etc).

1.3 Keeping documentation of a data breach

The area manager needs to take adequate measures to protect and document evidence of a data breach, whether actual or suspected.

The area manager can:

a) Document an incident, take notes on respondents, record the incident time, and save any messages or emails received on the company’s record-keeping system. 

Figure: Data breach incident response plan flowchart – part B

2. Phase 2: investigation

2.1 Procedure for investigating reported data breaches

The compliance manager needs to examine any reported data breach as quickly as possible. After reviewing the Data Breach Report, the compliance manager should:

a) Notify the chief information officer.

b) Assess the area manager’s containment steps.

c) Conduct any necessary initial research to confirm the report and obtain further details.

3. Phase 3: assessment 

3.1 Procedure to escalate to the data breach incident response team

The chief information officer will review the initial findings and decide whether to establish the data breach incident response team and:

a) Decides whether the incident is a data breach, if not the incident will not be addressed to the response team. Instead, the chief information officer will direct the area or compliance manager, to take the necessary steps to close out the incident.

b) Identifies the incident as a data breach and predicts that substantial harm is at least.

c) Identifies a data breach and assesses the risk of substantial harm using the company’s risk matrix assessment system.  

Figure: Risk matrix assessment system

Source: McKinsey & Company⁶

3.2 Members of the data breach incident response team

The data breach incident response team consists of the following official members:

• Chief information officer (CIO)
• General Counsel 
• Compliance manager
• Associate director
• Risk services

Depending on the scope of the data breach, the CIO may add additional participants to the data breach incident response team or hire third-party vendors to help with management and investigation.

Table: Additional members of the data breach incident response team

3.3 Steps for assessing a data breach

If 3.1 b) is met, the CIO must immediately call a meeting of the data breach incident response team.

The data breach incident response team evaluates whether:

a) The data breach may cause substantial harm to impacted individuals.

b) There is a need for mandatory notice to the government officials and affected people. 

c) If not there is no need for mandatory notification, voluntary notification is preferable.

When doing the assessment, the following factors must be examined:

d) The form of personal information affected.

e) The context of the impacted information and the breach.

f) The source and scope of the breach.

g) The risk of individuals getting significant harm. 

4. Phase 4: notification

4.1 Notification

In phase 3, if the CIO identifies an eligible data breach, the affected company must notify the Department of State’s Privacy Office and the individuals impacted.

4.2 Steps for notifying the Department of State’s Privacy Office

The CIO or a member of the data breach incident response team should use the model letter to notify the Department of State’s Privacy Office (e.g. see a sample of notice for California⁸

Part A of the privacy office notification must include the company’s:

• Identity and contact details.
• A description of the potential data breach.
• The types of private data affected.
• Company’s suggestion to secure stolen credentials.

4.3 Steps to notify affected individuals

The data breach incident response team evaluates alternatives for alerting impacted individuals in the event of an eligible data breach. The CIO or an authorized team member must create a notification to affected persons.

To notify impacted persons, the communication must include the following: 

a) The date and time of the data breach.

b) The types of personal information implicated.

c) The company’s actions to mitigate harm from the breach. 

d) How individuals can secure themselves and how the company can help (if applicable).

e) Contact information of the company, including phone numbers, email addresses, and websites.

5. Phase 5: review

5.1 Steps for conducting a post-breach review

After addressing the immediate implications of a data breach, the CIO conducts a post-breach analysis and assessment.

To conduct the review, the CIO should seek unofficial feedback from the data breach incident response team and other business units as needed. They should also conduct any required investigations, identify if any data managing or security procedures were invested in the breach, and then take the appropriate responses.

The following are some examples of steps that could be taken in specific scenarios:

Example 1: If an employee committed a data breach the affected company can:

• Provide any one-time or monthly staff reminders to prevent the data breach from recurring.
• Provide personnel with increased oversight to prevent future data breaches.
• Increase network audits or IoT monitoring to avoid data breaches from occurring again.
• Modify network security policy management rules to prevent recurrent data breaches. 
• Implement new controls and limitations on role-based access control (RBAC) and mandatory access control.

Read more: Network security policy management solutions (NSPM).

Example 2: If a third party caused the data breach, the affected company can:

• Improve its IT security measures.
• Implement additional security measures to secure personal data (e.g. data encryption).
• Provide staff or contractors with instructions to prevent future breaches.

Read more: Third-party cyber risk management.

Data breach incident response technologies

Some of the most frequently used data breach incident response technologies are:

• SIEM (security information and event management): SIEM collects and analyzes security incident data from various internal security technologies (such as firewalls, vulnerability scanning tools, and cyber threat intelligence (CTI) streams) and other network components. SIEM can assist incident response teams by detecting indicators of risks from the massive volume of notifications generated by these systems.

• SOAR (security orchestration, incident response automation, and response): SOAR allows security specialists to design structured incident management workflows that synchronize various safety measures and tools in reaction to security incidents—and automate parts of these workflows.

• Endpoint detection and response EDR tools: EDR continuously protects an organization’s endpoint devices and IT resources against security threats that bypass traditional endpoint security technologies. EDR continuously gathers information from all network devices; it scans the data in real-time for signs of recognized or suspected cyber threats.

• XDR (extended detection and response): XDR combines security tools, sensors, and data analytics from across an integrated IT ecosystem (endpoints, networks, both public and private clouds) to develop a centralized company system for threat mitigation. 

• UEBA (user and entity behavior analytics): UEBA employs behavioral modeling, machine learning (ML) algorithms, and incident response automation to detect anomalous and potentially harmful user and device activity. UEBA is effective in detecting insider threats, which are malicious insiders or intruders who employ stolen insider credentials and may bypass other security technologies by mimicking permitted network activity. UEBA is commonly found in SIEM, EDR, and XDR solutions.

• ASM (attack surface management): ASM solutions automate the continuous detection, assessment, and monitoring of vulnerabilities and attack vectors spanning all assets in an organization’s attack surface. ASM can discover previously neglected network assets and map connections among assets.

For guidance on choosing the right tool or service, check out our data-driven lists of incident response tools.

Further reading

• Top 10 Microsegmentation Tools
• Intrusion Prevention: How does it work? & 3 Methods
• Role-based access control (RBAC)  
• Network Segmentation: 6 Benefits & 8 Best Practices
• 80+ Network Security Statistics
• Network Security Policy Management Solutions (NSPM)
• Cybersecurity Risk Management

AIMultiple can assist your organization in finding the right vendor. 

External links

• 1. ”Cost of a Data Breach Report 2023“. (PDF). IBM. July 2023. Retrieved March 18, 2024.
• 2. ”Average cost of a data breach in the United States from 2006 to 2023″. Statista. January 26, 2024. Retrieved March 19, 2024.
• 3. ”Cost of a Data Breach Report 2023“. (PDF). IBM. July 2023. Retrieved March 19, 2024.
• 4. ”Cost of a Data Breach Report 2023“. (PDF). IBM. July 2023. Retrieved March 19, 2024.
• 5. ”Cost of a Data Breach Report 2023“. (PDF). IBM. July 2023. Retrieved March 19, 2024.
• 6. ”Cyber risk measurement and the holistic cybersecurity approach“. (PDF). McKinsey & Company. November 19, 2018. Retrieved March 18, 2024.
• 7. ”DATA BREACH RESPONSE PLAN“. (PDF). University of Adelaide. July 2023. Retrieved March 18, 2024.
• 8. ”Submitted Breach Notification Sample“. (PDF). State of California Department of Justice. June 8, 2017. Retrieved March 18, 2024.