< Back

Share |

Breach response checklist

May 2017

A data breach of any size is a crisis management situation, which could put an entire business at risk. Data security is not an IT issue, it is a business risk, and breach response should involve people from a number of roles across the business, including legal, commercial, HR, information security, PR, forensic IT and a director or board member. Dealing with a data breach will be alien to many of them. Planning for a breach is therefore essential; every business should have in place a breach response plan, and should designate, in advance, a breach response team which can be convened at short notice to deal with the crisis. Understanding the issues that arise in a breach situation, and practising managing a breach, are essential to effective breach response. Failure to plan and practise increases the regulatory, litigation and reputation risk to the entire business. The checklist below sets out the key issues which a business should consider in preparing for a data breach.

The breach response team and plan

  • Do you know who is in your breach response team, and what their roles are?
  • Do you have primary and secondary individuals in each role, so you can always pull together a full team?
  • Do you have clear reporting lines and decision-making responsibility?
  • Do you understand what external assistance you might need, with providers in place in advance?
  • Do you have a designated board member responsible for managing breaches, with full decision making authority?
  • Do you have processes for triaging incidents, identifying actual breaches and activating the breach response team?
  • Is your breach response plan up to date?
  • Have you tested your breach response plan with 'live fire' exercises?

Legal issues

  • Do you have a process for maintaining legal privilege and confidentiality?
  • Can you pause document destruction processes?
  • Do you have appropriate evidence gathering capability?
  • Do you know who your specialist external lawyers who can manage the investigation and give legal advice are?
  • Do you have a process for managing and logging steps taken in the investigation?
  • Do you understand your contractual rights and obligations with third parties?
  • Can you quickly identify third parties you may need to notify?
  • Do you have appropriate contractual rights to be notified of breaches by third parties?
  • Do you have contacts at the appropriate regulators and with law enforcement who you can involve quickly if necessary?
  • If you hold card data, do you need to notify your payment processor?
  • Do you need advice on the legal options available to quickly gather evidence from third parties?
  • Do you understand your potential liabilities to third parties?
  • Can you gather evidence to a criminal standard?
  • Do you understand when you should consider notifying data subjects and / or regulators?

Forensic IT

  • Do you have appropriately qualified forensic IT capability, either internally or externally?
  • Do you understand the basic IT do's and don'ts of immediate response to data breaches?
  • Do you have an appropriate asset inventory to help you identify potentially compromised devices, where those devices are and in whose possession?
  • Do you understand how data flows in your organisation, in practice?
  • Can you quickly secure and isolate potentially compromised devices and data, without destroying evidence?
  • Can you quickly ensure physical security of premises?

Cyberliability insurance

  • Do you have cyberliability insurance, or other insurance which may cover a data breach?
  • Do you understand the process for (a) notifying breaches and (b) obtaining consent for actions from insurers?
  • Do you have emergency contact details for your brokers?


  • Do you know what data you hold (and what you shouldn't hold)?
  • Is your data appropriately classified?
  • Do you have, and apply, appropriate data destruction policies?
  • Do you know what data is encrypted, how it is encrypted, and when it may be unencrypted on your systems?
  • Do you have appropriate regression checks to ensure you are storing only the data you should be?
  • Do you have appropriate additional protection for sensitive data?
  • Do you have data loss prevention or similar tools?
  • Do you understand your logs, how long you retain them for, and what they can (or cannot) tell you?
  • Do you have appropriate logging of employee access to data?

Data subjects

  • Do you understand when you should consider notifying data subjects?
  • Do you understand the contractual and legal rights of data subjects?
  • Can you quickly prepare appropriately worded notifications to data subjects?
  • Do you understand the potential harm to data subjects of loss of the different types of data that you hold?
  • Do you have the ability to appropriately triage and deal with customer response if you have a breach?
  • Is your customer service capability appropriately trained as to how to deal with data subjects in a breach scenario?


  • Do you have PR capability experienced in dealing with data breaches?
  • Do you have template pro-active and re-active press statements?
  • Can you actively monitor social media after a breach?

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Breach response checklist
Jessie Prynne

Jessie Prynne

Jessie provides a checklist which sets out the key issues which a business should consider in preparing for a data breach.

"Data security is not an IT issue, it is a business risk."