Tom Cedoz

Checklist · Cross-practice

Data Incident: The First 48 Hours

The instinct in the first hours is to make the problem go away — rebuild the server, send a reassuring note, get back to work. Each instinct destroys something you will need later: the forensic record, and your own credibility on scope. This checklist is about moving fast on what is reversible and slow on what is not.

Updated June 2026· 24 items· Prints to 2 pages

Hour 0: activate, don’t improvise

The first decisions set the trajectory for everything that follows. Work the response plan you wrote in calmer times rather than inventing one under pressure. If a step below is already automated or owned by a named person, good — the checklist is a backstop, not a substitute.

Engage counsel before the investigation runs

The sequence matters. Bringing counsel in early — before the forensic work begins — is what lets the investigation be directed by counsel and gives you a basis to assert privilege over the investigative work product. Retaining forensics through counsel, rather than as an ordinary IT purchase, is a pattern many in-house teams find useful for the same reason. Privilege over an incident investigation is fact-specific and has been contested in the courts; structure for it early and confirm the current standard in your jurisdiction.

Contain — without destroying the evidence

This is the hardest balance in the first day. Stop the bleeding, but preserve the crime scene. The reflex to wipe and rebuild a compromised machine is the single most common way organizations destroy the record of what actually happened.

Scope methodically — before anyone asks “how bad?”

Notification obligations, regulator exposure, and contractual duties all turn on facts you do not yet have. Build the scope picture deliberately and resist the pressure to characterize it early.

  1. What data was affected?

    Categories matter more than volume at this stage. Personal data, protected health information, financial account data, credentials, and trade secrets each carry different obligations.

  2. Whose data, and how many individuals?

    Many breach-notification duties are counted per individual and per category. A rough, honest range beats a precise-sounding guess.

  3. Which states’ residents are implicated?

    Obligations usually follow where the affected individuals reside, not where you are. One incident can pull in many state regimes at once.

  4. Which regulators and contracts are in play?

    Sector rules (for example, HIPAA for protected health information) and customer-contract notice clauses add duties on top of state law — sometimes with shorter fuses.

Notify the people you’re obligated to — in the right order

Hold the line on communications

The two mistakes that cost the most

Almost every painful data-incident matter traces back to one of two early errors. The first is wiping or rebuilding systems before they are forensically imaged — which destroys the evidence of what actually happened and leaves you unable to prove scope or rule out worse. The second is describing the incident’s scope before you actually know it — because every early statement is discoverable, and the early ones are almost always wrong. Move fast on containment and preservation; move slowly on rebuilds and on the word “only.”