Data Theft / Privacy: First 24 Hours

Use this playbook when you see unusual data movement: large outbound transfers, unexpected cloud storage activity, odd access to file shares, or alerts suggesting sensitive data may have been exfiltrated.

Data theft and privacy incident – digital shield protecting sensitive data

First 24 Hours Timeline

T+0–15 minutes

  • Confirm data exfiltration indicators (logs, alerts, monitoring tools).
  • Isolate affected accounts or systems without destroying evidence.
  • Preserve initial log sources and open an incident record with timestamp, owner, and objectives.

T+15–60 minutes

  • Classify data types accessed: PII, PHI, PCI, IP, contracts, customer data.
  • Engage breach counsel to assess notification obligations by jurisdiction and contract.
  • Audit access logs and cloud activity for the last 24–48 hours to determine scope.

T+1–4 hours

  • Draft a preliminary regulator/customer notification (hold until facts are sufficient).
  • Prepare FAQs and customer support escalation plan if sensitive data is confirmed stolen.
  • Engage vendors for log preservation (cloud, SaaS, MSPs).

T+4–24 hours

  • Decide notification triggers: jurisdictional laws, contractual SLAs, insurance requirements.
  • Coordinate with identity protection vendors if activation is likely.
  • Finalize stakeholder comms cadence and recovery plan for impacted services/data.

Do / Don’t

  • Do: Preserve logs, involve counsel, assess jurisdictions, prepare customer support capacity.
  • Don’t: Assume the theft is limited, delay counsel engagement, or disclose before facts are confirmed.

Evidence to Preserve

  • Authentication and access logs for impacted accounts/services.
  • Data transfer logs (firewall, proxy, SaaS export history).
  • Cloud storage metadata (object access, downloads, sharing).
  • System snapshots showing unauthorized exfiltration activity.

Communications Stub

Internal (executive/staff): “We have identified potential unauthorized data access and are investigating scope. Please do not share externally until legal and communications teams provide guidance.”

External (holding statement): “We are investigating unauthorized access to certain data. At this stage we are working with counsel and regulators to determine scope and required notifications. Updates will follow.”

Metrics & Decision Gates

  • Data classification complete? (PII/PHI/PCI/IP).
  • Notification triggers met? (jurisdictional laws, contracts).
  • Customer/vendor communication drafted and reviewed by counsel?
  • Identity protection vendors engaged if needed?

Related First 24 Hours Playbooks

Use these coordinated playbooks to manage the first 24 hours across common cyber incidents:

Data Theft & Privacy Incident FAQs

What is considered a data theft or privacy incident?

  • A data theft or privacy incident occurs when sensitive, regulated, or confidential information is accessed, exfiltrated, or exposed without authorization. This may include customer data, employee records, financial information, intellectual property, or system credentials.

What should we do first if we suspect data theft?

  • Immediately secure the affected accounts and systems, preserve logs, capture evidence, and switch to a trusted communications channel. Avoid reimaging or restoring systems until forensic teams identify what was accessed or taken.

How do we confirm what data was accessed or stolen?

  • Work with IT, SecOps, or forensic investigators to review logs, file access records, cloud audit trails, and endpoint telemetry. Identify which datasets were accessed, downloaded, transferred, or synchronized to external locations.

Do we have to notify customers or employees after a data theft?

  • Often yes. Notification depends on the type of data involved (such as PII, PHI, payment data), applicable privacy laws, and contractual obligations. Legal or breach counsel can help determine who must be notified and the required timelines.

Are we required to notify regulators?

  • Many privacy laws (state, federal, and international) require formal reporting when certain data types are compromised. The timeline can be as short as 24–72 hours. Your legal team or breach counsel should evaluate your jurisdictional obligations immediately.

What if stolen data is posted online?

  • If data appears on dark-web or public sites, you may need to engage specialized monitoring, coordinate with law enforcement, notify affected individuals, and prepare customer support resources. Do not attempt to engage directly with threat actors.

How do we contain a privacy incident without destroying evidence?

  • Isolate affected systems or accounts, block malicious IPs or tokens, and revoke compromised credentials—while avoiding changes that overwrite logs or clean up artifacts needed for investigation.

How can tabletop exercises help us prepare for a data theft incident?

  • Privacy tabletop exercises help leadership, legal, HR, IT, and communications practice the full lifecycle of a data theft event: scoping, decision-making, notification, regulatory reporting, and external communications. They identify gaps before a real incident occurs.

Let’s discuss your next step in Cyber Resilience or Business Continuity.
What would you like to discuss?