Sending a Data Security Crisis Team into Action

September 20, 2023

Every organization dreads facing a data breach, but advanced preparation can optimize response when disaster strikes. Having an established crisis team, focused on transparency, accountable follow-up, and leveraging the experience, transforms breach incidents from chaotic catastrophes into manageable events. This article outlines steps companies can take to meet crises head on.

Assemble a Breach Crisis Team Before Disaster Strikes

At the first sign of a potential data breach, immediately convene the standing crisis team to coordinate efforts. Determine roles and responsibilities for each member in advance so they can spring into action:

  • IT Security – Analyze systems compromised and contain ongoing data exposure
  • Legal Counsel – Provide guidance on compliance obligations and liability risks
  • Public Relations – Manage internal and external communications about the breach
  • Executives – Strategize on minimizing business impacts and recovery plans
  • Others – Data protection officer, customer experience, etc. depending on the organization

Draft emergency communications for likely scenarios to accelerate initial notifications when an incident occurs.

Objectively Focus First on the Facts of the Breach

Before speculating on causes or assigning blame, focus the crisis team on gathering facts to determine:

  • What systems and data were impacted? Identify affected networks, databases, applications, endpoints, etc.
  • How many customer and/or employee records exposed? Quantify the scope of personal information compromised.
  • Is the breach ongoing? Determine if attacker still has access or if exposure has been contained.
  • What vulnerabilities led to exploitation? Unpatched software, phishing, misconfigurations, etc.

Stick to known details to guide containment and immediate next steps. Avoid reacting to assumptions before fully assessing the situation.

Provide Transparent Communications from the Start

Once basic facts are established, promptly notify affected customers and partners with:

  • An overview of the incident and its potential impact on them – Briefly explain what happened in plain language
  • Steps you have already taken to contain the breach – Demonstrate action to address the situation
  • What you are doing to investigate and prevent future recurrence – Show accountability beyond just an initial reaction
  • Where to get additional information – Provide contact details for updates going forward

Showing organized response and commitment to transparency from the outset builds trust.

Keep Providing Status Updates to Stakeholders

In addition to initial notifications, provide regular status reports as the investigation proceeds to:

  • Customers – Share findings from the root cause analysis, details that may further assist them in mitigating damage, and resources like credit monitoring services if relevant.
  • Employees – Keep internal teams informed of progress resolving the incident.
  • Executives – Update leadership on technical and business impacts, recovery timelines, and recommendations.
  • Regulators – Demonstrate due diligence in compliance with breach notification laws.

Continued open communication and accessibility to address questions demonstrates responsiveness throughout the process.

Take Accountability and Prevent Repeat Incidents

Once root causes are determined, share details publicly on:

  • Vulnerabilities that led to the breach – Disclose how attackers were able to gain access, such as unpatched servers, phishing, or misconfigured databases.
  • Steps taken to address those specific gaps – Provide details on strengthening defenses like implementing new access controls, enhanced employee training, multiplied audit frequency, etc.

Avoid generic claims that fail to demonstrate understanding of the real issues. The goal is showing commitments that match the actual risks exposed rather than checking off compliance boxes.

Leverage Experience to Improve Future Preparedness

In any crisis lie opportunities for improvement. Analyze the response to identify areas for bolstering organizational resilience:

  • Update breach response plans – Refine roles, procedures, and communications based on lessons learned reacting in real-time.
  • Listen to customers – Survey both affected and unaffected clients to gain insights into their concerns and expectations.
  • Invest in capabilities – Fund projects to implement employee training, updated data protections, and other identified needs.

A breach can serve as a pivotal event to reshape institutional priorities and culture around security and privacy.


By having an experienced crisis team in place, responding rapidly and transparently to contain exposure, providing ongoing updates, demonstrating accountability, and learning from missteps, companies can emerge from data breaches with minimal damage to operations, reputation, and customer trust. While major incidents test organizations, those who prepare beforehand have a plan ready to activate when disaster strikes.

Referenced Work

Data Breach Response Guide. (2020). Office of the Attorney General, State of California Department of Justice.

Gottschalk, P. (2021). Characteristics of financial data breach crises and effects on shareholder value: Recent evidence from the United States stock market. Journal of Cybersecurity, 7(1).

NIST Computer Security Incident Handling Guide. (2020). National Institute of Standards and Technology.

Data Breach Response Services. (n.d.). IBM Security. Retrieved January 16, 2023, from