The Harsh Truth: What to Do After a Data Breach (60% of Companies Don't Survive)

A data breach what to do plan should be at the top of your business priorities, especially considering 60% of small companies go out of business within six months of falling victim to a cyber attack. This sobering reality is further compounded by the staggering financial impact, with the average global cost of a single breach hovering at $3.62 million.

Despite these alarming statistics, many organizations remain unprepared for what should a company do after a data breach occurs. The full recovery typically takes more than 100 days—and often exceeds 150 days. Furthermore, even with cybersecurity insurance, most businesses don't survive beyond six months following an attack. If your personal information has been compromised in a small business data breach, the costs can escalate to over $4 million for an average-sized company.

Throughout this guide, you'll discover the critical steps to take immediately after detecting a breach, how to effectively communicate with stakeholders, and most importantly, how to implement recovery strategies that put you in the minority of businesses that survive such incidents. Understanding these essential actions isn't just about damage control—it's about business survival.

How data breaches are usually discovered

The shocking truth about data breaches is not just that they happen, but how long they typically go undetected. According to IBM research, organizations take an average of 272 days to identify and contain an active breach across all industries. Other research puts this figure even higher at 277 days. This extended "dwell time" gives attackers ample opportunity to extract information, sometimes for months, completely unnoticed.

Internal detection vs. external alerts

Surprisingly, most organizations don't discover breaches themselves. About 40% of breaches are identified by benign third parties or outsiders, compared to only 33% discovered by internal teams and tools. Additionally, in 27% of cases, the attackers themselves disclose the breach as part of a ransomware attack.

Internal detection typically happens through:

• Automated monitoring systems that detect unusual network traffic patterns, suspicious login attempts, or abnormal data access
• Security Information and Event Management (SIEM) platforms and Endpoint Detection and Response (EDR) tools
• Employee reports of suspicious activities like unexpected password reset requests or account lockouts
• Regular security assessments and vulnerability scans

External detection often comes through:

• Law enforcement notification
• Customer reports of fraud
• Security researchers who discover exposed data
• Dark web monitoring services that find your data for sale

Certainly, while external threats constantly attack your network, many security professionals consider internal threats more dangerous. In fact, 79% of professionals surveyed said internal threats pose greater risk and damage than external ones. This is because insiders already have access, know the network structure, and may be able to bypass security measures.

Why timing of discovery matters

The timing of breach discovery directly impacts both financial outcomes and recovery prospects. Breaches discovered after 200 days cost 37% more than those detected sooner. In concrete terms, data breaches with a lifecycle under 200 days are $1.12 million less costly than longer-duration breaches.

Moreover, rapid detection significantly affects what a company should do after a data breach is discovered. Organizations with faster detection times can:

• Minimize data loss volume
• Reduce the complexity of recovery operations
• Preserve evidence needed for forensic investigation
• Limit legal and regulatory exposure
• Protect their reputation with customers and partners

The Arby's breach illustrates the consequences of delayed detection. The fast-food chain discovered malware in their point-of-sale system that had gone unnoticed for three months, compromising 355,000 credit cards. The company subsequently faced class action lawsuits specifically because they failed to detect and prevent the breach in a timely manner.

Organizations that invest in early detection capabilities generally fare better when breaches occur. This includes implementing continuous monitoring systems, developing formal incident response plans, and integrating artificial intelligence and automation into security operations—which can resolve breaches nearly 100 days faster than those without such technologies.

Immediate actions to take after a breach

Once you've discovered a breach, the clock starts ticking. Immediate action is essential—the first 24-48 hours can make or break your recovery efforts. Here's what you need to do right away:

Notify legal and compliance teams

Immediately involve your legal team when facing a data breach. Your in-house legal counsel should act as the conductor, keeping the response on track and ensuring timely decisions. However, also consider engaging specialized external counsel with privacy and data security expertise. This external team can advise you on applicable federal and state laws, which is particularly important since breach notification laws exist in 48 states, plus the District of Columbia, Puerto Rico, and the Virgin Islands.

The legal team plays a critical role in securing information to assess your position. They'll identify:

• The type, location, volume, and sensitivity of compromised data
• The scale and extent of the breach

Nevertheless, the partnership between internal and external legal teams creates a strategic advantage. External counsel helps establish legal professional privilege over sensitive communications and documents during the investigation—protecting you if litigation arises later.

Contact your cyber insurance provider

Notify your cyber insurance carrier immediately after discovering a breach. This isn't just a good practice—it's typically required for coverage. Late notification can jeopardize your claim or even result in denial of coverage.

Your insurer will likely:

• Launch an investigation to assess the scope and impact
• Provide forensic and legal analysis
• Connect you with specialized legal representatives
• Outline the scope of your coverage

Some carriers offer in-house expertise and services specifically designed for cyber response. They'll guide you through proper response steps and help process the accumulating costs of the breach. Many insurers have pre-negotiated rates with certain vendors, which can significantly reduce recovery costs.

Avoid tampering with evidence

Although your instinct might be to delete everything and start fresh, this approach destroys crucial evidence. Preservation of evidence is absolutely essential for:

• Determining how the breach happened
• Identifying responsible parties
• Supporting potential legal actions
• Meeting regulatory requirements

First, identify and contain compromised servers to prevent further infection. Immediately preserve all relevant log data—including firewall logs, VPN logs, email logs, intrusion detection logs, and endpoint detection logs—as these are continuously at risk of being overwritten.

For virtual machines, take snapshots of the virtual hard drives in their compromised state to create instant forensic images. Document your investigation thoroughly and maintain proper chain of custody so any evidence collected remains defensible.

Assemble an incident response team

A well-structured incident response team combines both internal and external expertise. Your internal team should include members from various departments:

• Information Technology (IT)
• Legal
• Human Resources (HR)
• Internal Communications
• External Communications/Marketing
• Operations

This team should be supplemented with external specialists:

• Breach Coach (a cybersecurity lawyer who quarterbacks your response)
• Digital Forensics & Incident Response (DFIR) experts
• IT Managed Service Provider (MSP)
• Insurance representatives

Each team member plays a specific role in addressing different aspects of the breach. It's crucial to establish clear lines of authority—typically granted to the Chief Information Officer (CIO) or Chief Information Security Officer (CISO)—as incidents often occur outside business hours, requiring swift decisions without waiting for CEO approval.

Designate an Incident Response Lead to coordinate all activities across teams. This individual should be senior enough to make decisions affecting your organization's response strategy.

Communicating the breach to stakeholders

Effective communication becomes your next critical challenge after discovering a breach. Your response messaging can either preserve stakeholder trust or destroy it completely. After all, how you communicate about a breach often matters as much as how you handle the technical response.

When and how to go public

Timing is not just about speed—it's about legal compliance. Most state laws require notifications within 60 days after breach discovery. Under GDPR, organizations must notify authorities within 72 hours. Even a well-managed technical response can be undermined by poorly timed communications.

Consider these essential notification requirements:

• Notify affected individuals without unreasonable delay (and within 60 days maximum)
• Contact regulatory authorities based on applicable laws
• Inform media outlets if the breach affects more than 500 residents of a state
• Provide substitute notice on your website if you lack contact information for 10+ affected individuals

Getting ahead of the story is crucial. Organizations that acknowledge breaches promptly rather than waiting until forced to disclose typically fare better with stakeholders. As demonstrated by successful cases like Buffer, direct communication before public knowledge emerges can significantly reduce reputational damage.

Tailoring messages for customers, partners, and employees

Each stakeholder group requires different information and approaches. One-size-fits-all messaging often fails to address specific concerns of diverse audiences.

For customers whose personal information has been compromised, focus on clear explanations of what happened, what data was affected, concrete steps they should take, and how you're supporting them. First-class mail is typically required, though email may be used if individuals have agreed to electronic communications.

Partners and vendors need to understand business continuity implications and any potential impact on shared systems or data. They require assurance about strengthened security measures and clarity on their role in the recovery process.

Employees need internal messaging that provides accurate information without revealing sensitive details. This helps them field inquiries appropriately and prevents misinformation from spreading through informal channels.

Legal review of all communications

Every communication regarding a data breach carries potential legal implications. Consequently, all messages must undergo thorough legal review before release.

Your legal team should evaluate communications to ensure they:

• Contain required notification elements under applicable state and federal laws
• Avoid statements that could create additional liability
• Include necessary information such as breach description, data types affected, protective steps, and contact information
• Maintain consistency across all channels and stakeholder groups

Documentation of all breach-related communications is essential, as these records may be scrutinized during regulatory investigations or litigation. Maintain detailed logs of when and how notifications were sent, to whom, and what information they contained.

Remember that privacy laws in all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands mandate specific notification requirements. Your legal team must ensure compliance with each applicable jurisdiction.

The real cost of a data breach

The aftermath of a data breach extends far beyond the initial incident response. In 2024, the average cost of a data breach reached an all-time high of $4.88 million, marking a 10% increase from the previous year. Understanding these costs is essential for creating effective recovery strategies.

Financial losses and insurance gaps

The financial impact of a breach involves both direct and indirect costs. Direct expenses include incident response, legal fees, customer notifications, and regulatory fines. In addition, post-breach activities and lost business now account for $2.8 million of the total average breach cost.

Even more concerning, eight out of ten companies discover their cyber insurance doesn't fully cover breach expenses. On average, each insurance gap leaves more than three-quarters of a breach uncovered, resulting in approximately $27.3 million in uncovered losses per incident. As an example, Capital One faced $65 million in uncovered damages despite receiving $73 million through insurance.

Companies should verify whether their policies include:

• Third-party liability coverage
• Business interruption compensation
• Protection against social engineering attacks
• Coverage for emerging threats like AI-powered attacks

Loss of customer trust and reputation

Perhaps the most devastating long-term impact comes from damaged customer relationships. A staggering 75% of consumers would stop purchasing from a brand following a cyber incident. This translates directly to revenue loss, with businesses facing an average of $1.3 million in lost sales associated with an incident.

The stock market responds swiftly as well—publicly traded companies experience an average 7.5% drop in stock values after a breach, with an average market cap loss of $5.4 billion. For smaller businesses without substantial financial reserves, these combined losses often prove fatal.

Operational disruptions and staffing issues

Operational recovery from a breach is increasingly challenging amid growing cybersecurity talent shortages. More than half of breached organizations now face severe security staffing shortages—a 26.2% increase from the previous year. This skills deficit adds approximately $1.76 million in additional breach costs.

Meanwhile, business operations often grind to a halt during recovery. According to Veeam's research, downtime costs average $88,000 per hour or $1,467 per minute. Furthermore, recovery is rarely quick—more than 75% of fully recovered organizations take over 100 days to restore operations.

For organizations wondering what to do if personal information has been compromised, these statistics highlight why having comprehensive response plans isn't optional—it's essential for survival.

How to recover and prevent future breaches

Recovering from a breach requires a structured approach that extends beyond immediate containment. Initially, your focus should be on understanding what happened and preventing recurrence.

Conduct a full forensic investigation

Post-breach analysis is vital for understanding attack vectors and compromised data. Preserve evidence meticulously in a forensically sound manner for potential legal proceedings and thorough documentation. Hiring specialized forensic investigators helps determine breach scope and capture forensic images of affected systems. This evidence may prove critical for litigation, insurance claims, and understanding breach mechanics.

Implement stronger security controls

After identifying vulnerabilities, take decisive action to patch them immediately. Implement a layered security approach, starting with fundamental controls. Consider frameworks like CIS Controls to systematically reduce cyber risk exposure. Prioritize critical security tasks as a practical way to strengthen defenses.

Train staff on breach prevention

Given that human error drives most breaches, comprehensive security awareness training is essential. Regular phishing simulations test staff responsiveness to social engineering tactics. Well-executed training embeds effective security practices throughout your organization.

Update compliance and risk management plans

Revise security policies to reflect new safeguards and lessons learned. Strengthen data governance with clear rules on how information is used, stored, and protected. Shift from reactive to proactive stance by incorporating insights from each incident. Schedule regular reviews to maintain a strong security posture.

Conclusion

Data breaches represent an existential threat to businesses of all sizes. Throughout this guide, you've seen how a comprehensive response plan can mean the difference between recovery and closure. Most companies fail after breaches not because of the initial attack, but due to inadequate response strategies and unexpected costs that quickly spiral beyond control.

Speed certainly matters when responding to incidents. Companies that detect and contain breaches faster save an average of $1.12 million compared to those with longer discovery times. Your organization must therefore balance immediate containment with methodical evidence preservation to support investigations and potential legal proceedings.

Financial preparation also deserves your attention. Despite insurance coverage, significant gaps often leave businesses responsible for millions in uncovered losses. These expenses, combined with operational disruptions costing up to $88,000 per hour, explain why 60% of small businesses close within six months after an attack.

Customer trust, once lost, proves exceedingly difficult to regain. Three-quarters of consumers stop purchasing from brands following security incidents, creating a revenue cliff that many companies cannot survive. Your transparent communication strategy thus becomes as important as your technical response.

The stark reality remains that data breaches will continue to target businesses regardless of size or industry. Your preparation decisions today determine whether your organization will join the 40% that survive or the majority that fail. Implementing comprehensive security controls, training staff effectively, and maintaining updated incident response plans accordingly transforms potential catastrophes into manageable events.

Remember that surviving a data breach requires both technical expertise and strategic communication. Though perfect security remains impossible, perfect preparation remains entirely within your control.