blog header image, worried team, countdown clock

Last week's post explored how to tell if customer data was stolen in a cyber attack. This week's guide picks up where that one left off: what to do after the signs point to a likely breach.

Discovering that customer data may have been stolen is the moment a cyber incident turns into a business crisis. Federal guidance for businesses stresses that once personal information may be exposed, the priority is to move quickly to secure systems, preserve evidence, and understand notification obligations.

For small business owners, the first 24 to 72 hours shape what happens next. A fast, organized response can reduce customer harm, limit downtime, and put the business in a stronger position legally and operationally.

Why the first 72 hours matter

A confirmed or likely data breach is not just an IT problem. NIST finalized SP 800-61 Revision 3 in April 2025 and positioned incident response inside the broader NIST Cybersecurity Framework 2.0 functions, reinforcing that response is part of business risk management rather than a narrow technical workflow.

That matters because business owners are rarely making only one decision. They may need to contain the threat, understand what data was exposed, review legal and contractual obligations, coordinate external help, and prepare customer communications at the same time.

The 72-hour timeline

Hour 0 to 4: Contain the damage

Focus: Immediate threat mitigation.

The first goal is simple: stop the situation from getting worse. The FTC advises businesses to secure operations immediately, fix vulnerabilities that may have caused the breach, and take steps to prevent additional data loss.

The most important technical point is this: isolate, do not erase. Disconnect affected servers, workstations, or cloud assets from the network (wifi, too!) rather than wiping them or rebooting them blindly, because rushed cleanup can destroy logs and other evidence needed to understand scope and support legal, insurance, or law-enforcement needs.

Start with these actions:

  • Disable compromised user accounts and reset privileged credentials.

  • Isolate affected devices, servers, or cloud services from the rest of the environment.

  • Preserve server logs, firewall records, alerts, screenshots, and ransom notes before making sweeping changes.

  • Document the timeline from the first sign of suspicious activity forward.

This is also the moment to establish an incident leader. Even a small business needs one person coordinating decisions across technology, operations, legal review, customer communication, and leadership so the response does not fragment under pressure.

Hour 4 to 24: Determine scope and source

Focus: Technical and operational analysis.

Once the immediate threat is contained, the next challenge is scope. NIST's incident response guidance emphasizes analysis of logs, network activity, affected assets, and related evidence to determine what happened, what systems were impacted, and how the incident should be handled.

For a non-technical business owner, the practical questions are straightforward:

  • How did the attacker get in?

  • Are they still inside any systems?

  • What accounts, devices, cloud apps, or vendors were involved?

  • What customer or employee data may have been accessed, copied, or removed?

This is often the point where outside forensics becomes necessary. The FTC advises businesses to consider bringing in forensic experts if they cannot determine the scope internally, especially when sensitive personal information may be involved. (Your insurance company may offer this service for you, or you can hire someone. Just be careful you don't hire hackers posing as experts, who will victimize you twice! Many insurance policies require you to contact them first and have them approve whoever you hire.)

At the same time, harden obvious weak points. That may include rotating passwords, enforcing multi-factor authentication, patching exploited systems, reviewing remote access tools, and checking whether the attacker created persistence through malware, new accounts, or unauthorized integrations.

One practical warning belongs here: do not coordinate the response only through the same compromised business email, chat, or collaboration tools the attacker may already be monitoring. During active containment, leadership should move sensitive coordination to an out-of-band channel such as phone calls, text groups, or another clean communication path.

Hour 24 to 48: Assess legal and contractual deadlines

Focus: Compliance, counsel, and business obligations.

This is where many businesses realize breach response is as much a legal and business process as a technical one. All 50 states, along with the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands, have breach notification laws requiring notice in certain situations when personal information is compromised.

Those laws are not identical. Common requirements include notifying affected individuals without unreasonable delay, notifying state attorneys general or consumer reporting agencies in some cases, and including specific content in the notice itself.

Regulatory duties are only part of the picture. Businesses also need to review contracts that may create separate obligations after a breach, even if the law is not yet clear or the investigation is still underway.

Check these areas immediately:

  • Customer agreements that require prompt notice of security incidents.

  • Vendor or service provider contracts with escalation timeframes.

  • Partnership agreements with cooperation or reporting clauses.

  • Data processing, confidentiality, or SLA terms that control who can notify whom.

  • Cyber insurance policies with specific notice windows and approved vendor requirements.

This section matters because missing a contract deadline can trigger its own consequences. A business may face indemnification claims, loss of vendor status, contract termination rights, or insurance coverage problems even if it is still within a regulatory notification window.

A practical insurance tip belongs here as well: contact the cyber insurance carrier or broker before signing contracts with outside forensic firms, breach coaches, or PR agencies whenever possible. Some policies require prompt notice and may route the company to approved vendors, and skipping that step can create coverage problems for response costs.

Legal counsel should be involved as early as possible in this phase. That helps the business separate regulatory duties from contractual ones, review customer notice language, and make informed decisions about privilege, liability, and timing.

Hour 48 to 72: Draft the communication strategy

Focus: Customer notifications and public response.

By this point, many businesses know enough to begin communication planning, even if every detail is not yet confirmed. The FTC's guidance makes clear that businesses should notify affected parties when required and should provide practical information that helps people protect themselves.

A strong customer notice should explain:

  • What happened, in plain language.

  • What information was involved, if known.

  • What the business has already done to contain the incident.

  • What steps customers should take next, such as resetting passwords or monitoring accounts.

  • How customers can reach the business with questions.

The tone matters as much as the content. Customers do not want vague legal language, defensive messaging, or false certainty. They want a clear explanation, practical next steps, and evidence that the company is taking the issue seriously.

Communication planning may also include a website notice, internal talking points, partner outreach, and preparation for customer-facing staff who may receive a surge of calls and emails.

Mistakes that make a breach worse

The common mistake Why it makes it worse The fix
Destroying evidence Deleting logs, wiping systems, or rebuilding too fast can blind investigators and complicate legal, insurance, or law-enforcement follow-up. Isolate affected systems and preserve logs, alerts, screenshots, and related evidence before major changes.
Chasing perfect certainty Waiting for 100 percent confirmation can burn valuable time while notification clocks and contractual deadlines keep moving. Act on a high-confidence assessment and communicate transparently as facts become clearer.
Siloing the breach in IT Treating the incident as only a technical outage leaves legal, communications, and leadership teams unprepared. Assign an incident leader who coordinates technology, legal review, communications, and executive decisions.
Ignoring contract deadlines Looking only at state law can cause a business to miss customer, vendor, or insurance notice requirements. Review agreements immediately for security-event notice clauses, escalation windows, and approved-vendor terms.
Communicating poorly Generic or inconsistent messaging can increase confusion and damage trust with customers and partners. Use plain language, explain what is known, give practical next steps, and prepare staff with clear talking points.

What comes after the first 72 hours

The crisis does not end once the first notices are sent. NIST and FTC guidance both support continuing work across recovery, customer support, remediation, and lessons learned after the immediate response phase.

That means monitoring for misuse of exposed data, restoring systems safely, reviewing vendor relationships, updating security controls, and capturing lessons that improve future readiness. Businesses that treat a breach only as a one-time emergency often miss the chance to reduce the impact of the next one.

A simple decision lens for owners

For a business owner, the most useful mindset is this: if sensitive data was likely accessed and there is meaningful risk of harm, act like it is a real breach until the evidence proves otherwise. That approach aligns with federal guidance to move quickly, secure systems, preserve evidence, and understand who must be notified.

The first 72 hours are not about achieving perfect clarity. They are about making disciplined decisions fast enough to protect customers, preserve options, and keep a difficult situation from becoming a much larger one.