Constangy Cyber Advisor 

Here is a summary of what to do in the first 72 hours of a cyberattack and beyond. 

Day One (hours 1-24): Contain, assess, and document

The moment you detect an attack, containment is the top priority. Disconnect affected systems, disable compromised accounts, and preserve forensic evidence. Avoid deleting or altering files, which could hinder the investigation or violate legal hold obligations.

Next, rally your incident response team, including information technology staff, legal counsel, communications, and leadership. Confirm whether the information affected is sensitive or critical to your organization’s mission.

Regulators and insurers often scrutinize these early actions to assess whether the organization acted reasonably under the circumstances, so documentation is also critical. The documentation should consist of detailed records regarding who was notified, what containment steps were taken, and the rationale for any decisions made.

Day Two (hours 25-48): Investigate and notify internally

Now that the attack has been contained, the focus shifts to the investigation. Whether handled by your internal IT staff or external forensic experts, the investigation should focus on determining how the attack occurred and, when possible, accurately pinpointing the systems that were accessed and the data that was affected. 

As with the first 24 hours, the goal at this stage is to define the scope of the incident and preserve any evidence that may be needed for legal, regulatory, or insurance purposes. You should do the following:

• Consult with legal counsel about how best to maintain attorney-client privilege.
• Draft internal communications and responses to be used by the internal incident response team.
• Notify your cyber insurance carrier, and make sure you understand and comply with your reporting obligations under the insurance policy .
• Begin preparing notification templates for regulatory bodies and consumers, even if the investigation is not yet complete.
• If the breach could affect vendors or third parties, notify them promptly so that they can assess their own systems and reporting obligations.

Day Three (hours 49-72): Manage the response

By the third day, your organization should have a clearer picture of the scope and impact of the incident. Certain federal laws (and, depending on your jurisdiction, state laws) may require notification by specified deadlines to regulators, affected individuals, or law enforcement. For example, many states require notice “without unreasonable delay,” and some have deadlines as short as 30 days.

All internal communications and external statements should be accurate, consistent with each other, and approved in advance by counsel. Although transparency is usually a good thing, premature or incomplete disclosures can create additional risk. If your organization maintains a public website or social media presence, coordinate messaging across channels to prevent inconsistency and confusion.

Day Four and Beyond: Learn and strengthen

You’ve survived the critical 72-hour period, but you’re not yet out of the woods. At this time, you should continue to work with your legal counsel to ensure that all legal obligations are met and that you are prepared for any future litigation or regulatory investigation. You should also be sure to consider how an event may affect business relationships and discuss your options with counsel. Once the incident response is complete, it is best to conduct a post-incident review to identify how a similar incident might be prevented in the future. Some good preventive steps include strengthening your IT system defenses, updating your response plans as needed, and retraining (or providing initial training to) employees.

The Constangy Cybersecurity & Data Privacy Team helps businesses of all sizes and industries develop a comprehensive incident response plan or support with a breach. We are here to help! The Constangy Cyber Team is available 24/7. Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.