The First 72 Hours After a Data Breach: A Business Owner's Guide

You just found out that your business data has been compromised. Customer records, employee information, financial data. Something got out. Your stomach drops. Now what?

The next 72 hours will determine how much this breach costs your business. Not just in dollars, but in regulatory penalties, lawsuits, and lost trust. The actions you take right now, and the documentation you create, will shape your legal exposure for months or even years to come.

Here is the short version: contain the breach first, then notify. Do not post anything publicly until you talk to a lawyer. And document everything from the moment you discover the problem.

Why the First 72 Hours Matter So Much

Most state data breach notification laws use language like "most expeditious manner" and "without unreasonable delay." There is no universal hour count, but regulators and courts look at what you did and when you did it. A 72-hour window is a practical benchmark used by many businesses and recommended by cybersecurity professionals.

The European Union's GDPR requires notification within 72 hours. While GDPR may not apply to every U.S. small business, the standard has influenced how regulators everywhere evaluate response times. If you can show you acted within that window, you are in a much stronger position.

The real risk is delay. In the Change Healthcare breach, delayed notification was a central allegation by state attorneys general. The company waited months to notify affected individuals. That delay became the focus of enforcement actions and lawsuits. Your small business does not have the resources to fight those battles. It is far cheaper to act quickly.

Step 1: Contain the Breach

Before you notify anyone, stop the bleeding. Containment comes first.

• Isolate affected systems. Disconnect compromised devices from your network. Do not turn them off or wipe them. You need the evidence.
• Change credentials. Reset passwords for all accounts that may have been compromised. Start with administrative and privileged accounts.
• Preserve evidence. Do not delete logs, emails, or files related to the breach. These records will be critical for your legal defense and any regulatory investigation.
• Engage your IT team or provider. If you have an IT vendor or managed service provider, call them immediately. They can help identify the scope and source of the breach.

Step 2: Assess What Was Compromised

Once the breach is contained, figure out what data was affected. This step drives everything that follows, including who you need to notify and which regulators have jurisdiction.

Ask these questions:

• What type of data was exposed? Personal information like Social Security numbers, financial account numbers, and medical records trigger different notification requirements than general business data.
• How many people are affected? Most states require notification to the Attorney General once a certain number of residents are affected, often in the range of 250 to 500 or more. The threshold matters for determining your obligations.
• Who are the affected individuals? Are they customers, employees, vendors, or some combination? Each group may have different notification requirements and different legal relationships with your business.
• How did the breach happen? Understanding the attack vector helps you prevent future incidents and demonstrates good faith to regulators.

Document your assessment process in writing. Include dates, times, people involved, and findings. This contemporaneous record is your best evidence that you acted reasonably and promptly.

Step 3: Call a Lawyer Before You Say Anything Publicly

This is the step most business owners skip or delay. That is a mistake.

A data breach triggers legal obligations in multiple directions at once. You may owe notifications to affected individuals, state attorneys general, federal regulators, and potentially industry-specific bodies. The content of those notifications matters. What you say, how you say it, and when you say it all have legal consequences.

If you are a Surge Momentum member, you already have access to breach response counsel. Use it. If you are not a member, contact us for a free consultation. Either way, do not draft your first public statement or notification letter without legal review.

Here is why this matters: anything you say publicly can be used against you in litigation. A premature statement that downplays the breach can become evidence of negligence. An overly broad statement can expand your liability beyond what the facts support. Your lawyer helps you find the right balance.

Step 4: Notify the Right People in the Right Order

Once you understand the scope and have legal counsel involved, it is time to notify. Here is who needs to know and when.

Affected Individuals

Most states require you to notify individuals whose personal information was compromised. The notification must typically be made in the "most expeditious manner" and "without unreasonable delay." In practice, this means as soon as you have enough information to send a meaningful notice.

Your notification should include:

• What happened. A brief, plain-language description of the breach.
• What information was involved. Be specific about the types of data compromised.
• What you are doing about it. Describe the steps you have taken to contain the breach and prevent future incidents.
• What they can do. Provide guidance on how they can protect themselves, such as monitoring credit reports or placing fraud alerts.
• How to reach you. Include contact information for questions.

State Attorneys General

Most states require notification to the Attorney General once a threshold number of residents are affected. Some states set that threshold at 250 residents, others at 500 or more. Every state where your customers reside may have its own threshold and additional requirements, so check the specific rules for each state that applies to your business.

The AG notification is separate from individual notifications and often requires additional detail about the breach, your response, and the total number of affected residents.

Federal Regulators

If your business handles health information, HIPAA imposes its own notification requirements. Breaches affecting 500 or more individuals must be reported to the U.S. Department of Health and Human Services. The FTC may also have jurisdiction depending on your industry and the nature of the breach.

If you accept credit card payments and card data was compromised, your payment processor and the card brands (Visa, Mastercard) have their own notification and investigation requirements.

Step 5: Document Everything

This is not optional. Your documentation is your legal shield.

Every conversation, every decision, every action taken during your breach response should be recorded. This includes:

• Timeline of events. When the breach was discovered, when containment began, when each notification was sent.
• Decision log. Who made what decisions and why. Include the reasoning behind any delays.
• Communications. Copies of all notifications sent to individuals, regulators, and law enforcement.
• Remediation steps. What you did to fix the vulnerability and prevent recurrence.
• Costs incurred. Track expenses related to the breach response. These may be recoverable through insurance or relevant to legal proceedings.

If a regulator or plaintiff's attorney later questions your response, this documentation is what proves you acted in good faith. Without it, you are relying on memory and hoping for the best. That is not a legal strategy.

The Change Healthcare Warning

The Change Healthcare breach in 2024 is a cautionary tale for businesses of every size. The company experienced a massive data breach affecting millions of individuals. State attorneys general filed enforcement actions, and a central allegation was that the company delayed notification to affected individuals.

Regulators care about speed and transparency. A company that moves quickly, notifies promptly, and cooperates with investigators faces far less exposure than one that drags its feet.

Your small business will not get more leniency than a large corporation. If anything, regulators expect that a smaller breach should be easier to assess and communicate quickly.

Common Mistakes That Increase Your Legal Exposure

After working with businesses through breach responses, we see the same mistakes repeatedly.

• Delaying notification to "get all the facts." You do not need complete information to begin notifying. Regulators understand that investigations take time. What they do not accept is using the investigation as an excuse to delay telling people their data was compromised.
• Posting on social media before talking to a lawyer. A well-meaning Facebook post can become exhibit A in a lawsuit. Get legal review first.
• Destroying evidence. Whether intentional or accidental, wiping systems or deleting logs before they are preserved creates an inference of wrongdoing.
• Ignoring states where your customers live. If you have customers in 15 states, you may have notification obligations in 15 states. Each has its own rules.
• Failing to update your security after the breach. Regulators look at whether you learned from the incident. If the same vulnerability is exploited twice, your legal position is significantly worse.

What Surge Business Law Does for Breach Response

We help business owners navigate every phase of a data breach response. Our services include:

• Breach response counsel. We guide you through the containment, assessment, and notification process step by step.
• Notification drafting. We prepare compliant notification letters for individuals and regulatory bodies, making sure the content protects your interests while meeting legal requirements.
• Regulatory communication. We handle correspondence with state attorneys general, federal agencies, and industry regulators on your behalf.
• Post-breach policy review. After the immediate crisis, we help you update your data security policies and incident response plans to reduce future risk.

If you are not sure whether your business has experienced a reportable breach, that is exactly the kind of question to bring to us. The consultation is free, and getting an answer early is always better than guessing.

Our Momentum membership includes ongoing access to business counsel, which means you already have a lawyer to call when something goes wrong. If you are not yet a member, learn more about how a business lawyer can protect your company before a crisis hits.