Data Breach Response Procedure template
A data breach response procedure is the written sequence your team follows when personal information is lost, stolen, sent to the wrong person, or accessed without authorization — who to tell first, how to contain the damage, how to assess what was exposed and about whom, and how to work out which notification laws apply. It is the difference between a response and a scramble.
The US has no single breach notification law. Every state — plus the District of Columbia and US territories — has its own, and they differ on what counts as personal information, who gets notified, and how quickly. The one thing they share is that the clock generally starts at discovery, which is why the roles, the reporting channel, and the assessment steps in this procedure are decided in advance — you cannot design a response during a live incident.
This template follows the shape of the FTC's data breach response guidance — secure, fix, notify — and gives you the full procedure: what counts as a breach, immediate containment, the scope and risk assessment, the state-by-state notification check, telling the people affected, and the breach log that evidences it all.
Full text, ready to adapt.
Highlighted fields are placeholders — replace them with your organisation's specifics. A starting point, not legal advice.
Data Breach Response Procedure
SOP · Data & Privacy
1. Purpose and scope
This procedure sets out how {{org.name}} responds to actual or suspected breaches of personal information. It applies to all staff, all systems, and all personal information we hold — about customers, staff, or anyone else — in any format.
2. What counts as a data breach
- An email, letter, or attachment containing personal information sent to the wrong recipient.
- A lost or stolen laptop, phone, USB drive, or paper file.
- A phishing compromise, ransomware infection, or other unauthorized access to systems holding personal information.
- Staff accessing records they have no work reason to see.
- A vendor or service provider telling us their systems holding our data were compromised.
- If in doubt, report it — the assessment below decides whether it matters, not the person who spotted it.
3. Roles and responsibilities
- Breach lead ([name/role], deputy [name/role]): runs the response, owns the breach log, and makes notification decisions with [senior role] and counsel.
- IT support ([name/provider]): contains technical incidents and preserves evidence.
- Legal counsel ([firm/contact]): advises on which state laws apply and reviews notification content before anything is sent.
- All staff: report suspected breaches immediately by [phone number/channel]. Honest mistakes reported promptly are never treated as misconduct; concealment is.
4. Immediate actions: report and contain
- 1Report the suspected breach to the breach lead at once by [phone/channel] — including evenings and weekends. Do not wait for the next business day.
- 2Record the date and time of discovery precisely — notification clocks in most state laws run from around this point, and the record will be examined.
- 3Contain the breach: recall the email, remote-wipe the device, disable compromised accounts and change passwords, isolate affected systems, or retrieve the papers — whichever applies. Take affected equipment offline, but do not turn machines off until forensic advice says so.
- 4Preserve evidence. Do not delete emails, logs, or files connected to the incident.
- 5Notify your cyber insurer [policy/contact] before engaging outside help — many policies have their own notice conditions and approved forensic and legal vendors.
- 6Ask any unintended recipient to delete the information and confirm in writing that they have.
5. Assess the scope and the risk
- 1Establish the facts: what happened, which systems and records were involved, and whether the exposure is ongoing.
- 2Identify the data elements exposed — names, Social Security numbers, driver's license numbers, financial account or card details, health information, login credentials — because state laws define "personal information" by combinations of exactly these elements.
- 3Identify whose information it is and, critically, which states and territories they live in — that list determines which notification laws apply.
- 4Assess the likelihood and severity of harm: identity theft, financial fraud, account takeover, physical risk, or distress; weight the assessment up where children's data or credentials are involved.
- 5Record the assessment and conclusions in the breach log, however minor the incident turns out to be.
6. Notification: check every state that applies
There is no single US notification deadline to rely on — the deadlines, formats, and recipients differ by state. Using the state list from the assessment, [name/role] and counsel check the current requirements of each affected state attorney general: whether the incident meets that state's definition of a breach, whether encrypted data is exempt, who is notified and how, whether the AG or state agencies are notified directly, and whether consumer reporting agencies come into scope at that state's threshold. Work from the state AG pages and current counsel advice, not from templates or last year's memory.
Consider law enforcement early: the FTC's guide covers when to involve local police or federal agencies, and a law enforcement request can affect notification timing. If the decision in any state is that notification is not required, record the reasoning in the breach log — that record is what shows the decision was considered, not missed.
7. Telling the people affected
Where notification is required — or is simply the right call — tell people in plain language: what happened, what information was involved, what we are doing, what they can do to protect themselves, and who to contact at {{org.name}}. The FTC's guide includes a model letter, and IdentityTheft.gov is the standard resource to point people to for recovery steps. Some state laws prescribe specific content for the notice, so counsel reviews it before it goes out.
Coordinate with [insurer/forensics/law enforcement] before communicating, but do not let coordination become delay — the clock does not pause while the message is polished.
8. Records, lessons, and review
Every breach and near miss goes in the breach log kept at [system/location]: dates and times, facts, assessment, state-by-state decisions, notifications, and actions. Within [period] of closing an incident, the breach lead runs a lessons-learned review and feeds the fixes into training, systems, vendor contracts, and this procedure.
This procedure is reviewed [frequency, e.g. annually] and after every notifiable incident — and the state-law landscape shifts often enough that the review should include a fresh check of the states where your customers live. Owner: [name/role]. Next review due: [date].
How to adapt this template.
Name the breach lead and deputy, and put their out-of-hours contact details where staff will actually find them at 6 p.m. on a Friday.
Brief every team that the rule is "report at once, blame later" — the procedure fails if staff sit on mistakes.
Line up counsel and check your cyber insurance conditions now: many policies dictate the first phone call, and mid-incident is the wrong time to discover that.
List the states where your customers and staff live and bookmark each state AG's breach guidance — that list is your notification map.
Check your vendor and software contracts require prompt breach notice to you — their breach becomes your notification duty.
Run a tabletop exercise on a realistic scenario — a stolen laptop or a phished mailbox — within a month of adopting the procedure.
Turn this template into trained, proven behaviour
A policy in a drawer proves nothing. In TrainedTeam this template becomes assigned training with knowledge checks, e-signature acknowledgments, version history, and an audit-ready record of who completed what, when.
Data Breach Response Procedure template FAQs
Which breach notification law applies to our business?
The laws of the states where the affected individuals live — not just the state where your business operates. All 50 states, DC, and US territories have breach notification laws with differing definitions, deadlines, and requirements, so the first output of your assessment is a list of affected states, and the next step is checking each state attorney general's current requirements, with counsel where the exposure is significant.
How quickly do we have to notify people after a breach?
It depends on each affected state's law, and the deadlines genuinely differ — which is why this procedure never states one. What is consistent is that the clocks generally run from discovery, so the safe operating assumption is: report internally at once, assess fast, and check the current requirements of every affected state before deciding anything about timing.
Does encrypted data still trigger notification?
Many state laws treat properly encrypted data differently, often exempting it when the keys were not compromised — but the definitions and conditions vary by state. Treat encryption as a reason to check each applicable law carefully, not as an automatic pass, and record the reasoning either way.
Should we involve law enforcement?
For anything beyond a trivial misdirected email, usually yes — the FTC's breach response guide covers contacting local police and when federal agencies are the right call. A law enforcement request can also legitimately affect when you notify, which is one more reason to make the contact early and record it.
Is a written breach response procedure legally required?
The notification duties are law; the procedure is how you meet them at speed. Some sector rules and state laws do expect documented security programs, and the FTC's guidance treats a response plan as standard practice. Practically: state deadlines are short enough that an organization without a written procedure, a named lead, and an out-of-hours channel will struggle to comply with ordinary staff on an ordinary weekend.
Related templates
Data Retention Policy
Free US data retention policy template: a retention schedule by record type, secure disposal rules, and legal holds, with IRS recordkeeping as the tax anchor.
Business Continuity Plan
Free business continuity plan template for US small businesses: risks, critical functions, contacts, recovery priorities, and testing. Ready.gov-aligned.