What to Do in the First 24 Hours After a Data Breach — An Initial Response Guide for Small Businesses
A neutral first-response guide for small businesses: what to check in the first 24 hours after discovering a data breach, the three guiding principles, and what not to do.
Initial response to a data breach refers to the set of actions a company takes in roughly the first 24 hours after discovering the incident, to contain the damage and make the right notifications and records. Many small businesses have no dedicated team for this, and often are not sure where to start. This article lays out the guiding principles for initial response and what to check in the first 24 hours.
Background
Data breaches can originate from external unauthorized access, but also from a misdirected email, a lost device, or an incident at a vendor; the causes vary widely. Regardless of the cause or scale, how well a company handles the immediate aftermath is generally believed to affect both how far the damage spreads and how quickly trust can be rebuilt with partners and customers. Understanding the basic flow of initial response ahead of time reduces confusion if an incident actually occurs.
Three Principles of Initial Response
Initial response to a data breach is generally guided by three principles. First, do not hide it: concealing or downplaying the facts tends to cause greater loss of trust if the truth comes out later. Second, do not let it spread: promptly isolate any system or account suspected of compromise so the damage does not expand further. Third, keep a record: documenting who noticed what, when, and how they responded, in chronological order, is essential for later reporting and for preventing recurrence.
The Structure of the Risk: Why the Initial Response Matters
The scope of damage from a data breach can change significantly depending on how the company responds immediately after discovery. For example, the longer it takes to disconnect a network after noticing unauthorized access, the more the damage can grow. Delayed or reactive external communication can also prolong the loss of trust from partners and customers and any reputational fallout. A slow initial response carries risk that extends beyond the technical damage into business continuity and trading relationships.
First 24-Hour Checklist
Below are example items worth checking or acting on within roughly the first 24 hours of suspecting a data breach. The actual response will vary with the nature and scale of the incident, so treat this as a general reference rather than a fixed procedure.
- Identify the scope: determine which systems, data, and people may have been affected
- Contain the damage: consider disabling suspicious accounts or disconnecting the affected system from the network
- Change passwords: promptly change passwords for any accounts that may have been affected
- Share internally: inform leadership and relevant departments of the facts and decide on a response structure
- Consult specialists or the police: as appropriate, contact a cybercrime consultation desk or an outside specialist
- Notify affected partners: give an early heads-up, within what is known, to partners who may be affected
- Keep records: document the time of discovery, actions taken, and the reasoning behind decisions, in order
Reporting Obligations When Personal Data Is Involved
If the leaked information includes personal data, Japan's Act on the Protection of Personal Information may require reporting to the Personal Information Protection Commission and notifying affected individuals, depending on whether certain criteria are met. The specific requirements, deadlines, and scope of covered information vary by case, so if you are unsure, do not decide on your own; check the Personal Information Protection Commission's official website or consult a lawyer promptly.
What Not to Do
During initial response, well-intentioned actions can sometimes make things worse. Casually deleting or overwriting logs or files that could serve as evidence can make it much harder to investigate the cause later. Making a definitive public statement before the facts are confirmed can also trigger further loss of trust if a correction is needed later. It also matters to have a clear internal decision-making chain, rather than letting one person handle external communication alone.
- Deleting or resetting logs, devices, or files that could serve as evidence
- Making definitive public statements before the facts are confirmed
- Handling disclosure or stakeholder communication based on one person's judgment alone
- Deciding on your own that it is probably not serious and postponing checks or consultation
Preparing in Advance
A smooth initial response rests on preparation done during normal times. Deciding in advance who receives the first report and who makes decisions, keeping contact information for police and outside specialists on hand, and configuring systems to retain logs for a set period are all steps that can be taken without major investment.
Map: Peacetime vs. After an Incident
| Stage | What to do | Purpose |
|---|---|---|
| Peacetime | Organize contact structure and consultation points | Speeds up initial response |
| Peacetime | Confirm log retention settings | Enables root-cause investigation |
| Immediately after | Identify scope and contain damage | Minimize the damage |
| Immediately after | Create a record | Basis for reporting and prevention |
| Days after | Confirm reporting obligations with authorities and stakeholders | Meet legal requirements |
Frequently Asked Questions
Who should we contact first if we suspect a data breach?
Generally, reporting to the person responsible within your company is the first step. From there, depending on the situation, consider contacting the police's cybercrime consultation desk, an outside security specialist, or your company's lawyer. If personal data may be involved, checking with the Personal Information Protection Commission is also an option.
Do small companies also have reporting obligations?
It is safest to assume that reporting obligations under the Act on the Protection of Personal Information can apply regardless of company size, if the relevant criteria are met. The specific requirements vary case by case, so do not decide on your own; check official information from the Personal Information Protection Commission or consult a specialist.
When should we notify affected business partners?
Ideally you would notify partners once the facts are confirmed, but if that investigation takes time, sharing what is known so far along with the fact that an investigation is underway tends to have less impact on trust than waiting. The right timing depends on the specifics of the case, so it is best to proceed with advice from a specialist.
Summary
Initial response to a data breach rests on three principles: do not hide it, do not let it spread, and keep a record, combined with knowing in advance what to check in the first 24 hours. For situations requiring a legal judgment, such as reporting obligations involving personal data, do not decide on your own; prioritize checking with the Personal Information Protection Commission or a lawyer. For a broader view of IT risk management, see our SMB IT Risk Management Guide. For one of the leading causes of breaches, see Ransomware Basics for Small Businesses, and for preparing financially for post-incident costs, see Cyber Insurance Basics for Small Businesses.
Feel free to contact us
Contact Us