What to Do After a Data Breach: Incident Response Guide

A data breach is a crisis moment. Your actions in the first hours determine the extent of the damage, both for affected individuals and for your business. This guide explains what to do, step by step.

Stay calm but act fast. Panic leads to mistakes. A methodical response minimizes damage and demonstrates your seriousness to authorities.

Step-by-step process

  1. 1

    Contain the incident (immediate)

    Stop the leak. Revoke compromised access, change passwords, isolate affected systems. Don't delete anything; you'll need the evidence. Mobilize your response team (privacy officer, IT, management).

  2. 2

    Assess the scope (first hours)

    Identify: what information was affected, how many people are involved, how the incident occurred, whether the threat is still active. Document everything you discover.

  3. 3

    Evaluate the risk of harm

    Is there a risk of serious harm? Consider: data sensitivity (health, finances, SIN), context (theft vs. error), protections in place (encryption). If the risk is serious, you must report.

  4. 4

    Report to the CAI (if required)

    If the risk of harm is serious, report to the Commission d'accès à l'information with diligence. Use the official form. Don't wait to have all the answers; you can provide updates later.

  5. 5

    Notify affected individuals

    If the risk is serious, notify affected individuals promptly. Explain: what happened, what data is affected, what you're doing, what they can do to protect themselves.

  6. 6

    Investigate and remediate

    Determine the root cause. Was it human error, a technical flaw, an attack? Fix the vulnerability to prevent the incident from recurring.

  7. 7

    Document and learn

    Record the incident in your register. Write a post-incident report: timeline, actions taken, lessons learned. Update your procedures if necessary.

Tips and warnings

Immediate actions (within the hour)

  • Don't panic, but don't wait. Every minute counts to limit the extent of the breach.
  • Alert the privacy officer and management. This isn't the time to handle things alone.
  • Revoke compromised access. Better to be overcautious than undercautious.
  • Preserve evidence. Don't delete logs, emails, or files, even if they're embarrassing.

Critical mistakes to avoid

  • Minimizing the incident. Better to overestimate than underestimate. You can always revise your assessment.
  • Delaying the report. "With diligence" means quickly. Don't wait to have all the answers.
  • Hiding the incident. Cover-ups always make consequences worse. Transparency protects better.
  • Publicly blaming. Avoid finger-pointing in your communications. Focus on corrective actions.
  • Forgetting to document. If you didn't document it, you can't prove it.

After the crisis

  • Conduct a post-mortem. Gather the team to analyze what happened and how to prevent it.
  • Update your procedures. Integrate lessons learned into your incident response plan.
  • Train your team. Make sure everyone knows what to do if it happens again.
  • Test your systems. Verify that the fixes are effective.

Frequently asked questions

What are the critical first 24 hours?

Contain first, assess second. In the first hours: revoke access, preserve evidence, mobilize the team. Within 24 hours: assess the scope and risk, decide whether you need to report.

Should I call the police?

If the incident involves criminal activity (hacking, theft, extortion), you may report to police. This may be relevant for your protection.

How do I notify affected individuals?

By the means most likely to reach them: email, letter, phone. If you can't reach them individually, a public notice may be necessary. Be clear, direct, and avoid jargon.

What should I tell affected individuals?

What happened (without excessive technical details), what data is involved, what you're doing to fix it, what they can do to protect themselves (monitor accounts, change passwords), and how to contact you.

Do I have to offer credit monitoring?

It's not mandatory, but it's good practice if financial data or SINs are compromised. It demonstrates good faith and can limit harm to affected individuals.

What are the penalties if I don't report?

Failure to report a serious-risk incident is an offense. For a legal entity, fines can reach $25 million or 4% of global revenue. Don't take that risk; report when in doubt.

How long must I keep the documentation?

The law requires keeping the incident register for at least 5 years. Also retain all related documentation: investigation reports, evidence, communications.

Can I be sued by affected individuals?

Yes, individuals can claim damages if they suffer harm. A quick, transparent, and well-documented response is your best protection against lawsuits.

Related tool

An incident register helps you document and track any privacy incident.

Download the register