Marriott Had 383 Million Records Exposed — And No Clear Playbook
When Marriott disclosed its massive breach in 2018, the company revealed that attackers had been inside Starwood's reservation system since 2014 — four years of undetected access to 383 million guest records. The breach cost Marriott over $28 million in direct costs and triggered regulatory actions across multiple countries. One of the most damning findings? The incident response was chaotic because the company lacked a well-rehearsed data breach response plan that accounted for inherited infrastructure from an acquisition.
I've watched organizations of every size stumble through the same chaos. The ones that survive a breach with their reputation and finances intact aren't the ones with the biggest budgets — they're the ones who built and practiced a response plan before they needed it. That's exactly what this guide covers: the specific, practical steps to build a data breach response plan that works when your phone rings at 2 AM on a Saturday.
What Is a Data Breach Response Plan?
A data breach response plan is a documented, step-by-step playbook that tells your organization exactly what to do when a threat actor gains unauthorized access to sensitive data. It covers who does what, when they do it, who they notify, and how they contain the damage. Think of it as the fire evacuation plan for your data — nobody reads it until the building is burning, which is exactly why you need to rehearse it beforehand.
A strong plan addresses detection, containment, eradication, notification, recovery, and post-incident review. It names specific people, not just roles. It includes phone numbers, not just org charts. And critically, it accounts for the legal, regulatory, and communications obligations that kick in the moment you confirm a breach.
The $4.24M Reason You Can't Wing It
IBM's 2021 Cost of a Data Breach Report found the average breach cost hit $4.24 million — the highest in 17 years of the study. But here's the number that should grab your attention: organizations with an incident response team and a tested plan saved an average of $2.46 million per breach compared to those without.
That's not a marginal difference. That's the difference between a survivable incident and an existential one for a mid-sized company. The Verizon 2021 Data Breach Investigations Report confirmed that 85% of breaches involved a human element — phishing, credential theft, social engineering — meaning the incidents your plan needs to address are predictable, even if their timing isn't.
Every day I see organizations that assume their IT team will "figure it out" when something happens. In my experience, improvised responses lead to missed notification deadlines, destroyed forensic evidence, and public statements that make lawyers wince.
Six Components Every Data Breach Response Plan Needs
1. A Defined Incident Response Team
Your plan needs named individuals, not just job titles. Include your CISO or IT lead, legal counsel, communications/PR lead, HR representative, and an executive sponsor with authority to make financial decisions fast. List their cell phones, personal emails, and backup contacts. I've seen response efforts stall because the primary contact was on vacation and nobody knew who the alternate was.
If you don't have in-house forensics capability, pre-negotiate a retainer with a digital forensics firm. Trying to find and onboard a forensics team during an active breach wastes days you don't have.
2. Detection and Classification Criteria
Not every security alert is a breach. Your plan needs clear criteria for classifying incidents by severity. A single employee clicking a phishing link and immediately reporting it is different from discovering a threat actor has been exfiltrating customer records for six months.
Define at least three severity tiers with specific triggers. Tier 1 might be a contained malware infection on a single endpoint. Tier 3 is confirmed unauthorized access to regulated data — PII, PHI, financial records — with evidence of exfiltration. Each tier should trigger different response actions and escalation paths.
3. Containment and Eradication Procedures
The first instinct most people have during a breach is to shut everything down. That instinct often destroys volatile forensic evidence — memory dumps, active network connections, running processes — that investigators need to understand the scope of the compromise.
Your plan should specify containment steps: isolating affected systems from the network without powering them off, blocking known malicious IPs at the firewall, resetting compromised credentials, and revoking active sessions. For ransomware scenarios, include guidance on whether to preserve encrypted systems for forensic imaging before attempting any recovery.
4. Notification Requirements and Timelines
This is where organizations get into serious legal trouble. As of early 2022, all 50 U.S. states have breach notification laws, each with different triggers, timelines, and definitions of personal information. GDPR requires notification to supervisory authorities within 72 hours. HIPAA has its own rules. If you operate across state or national lines, your notification obligations are a patchwork that requires legal expertise.
Your plan should include a matrix: what type of data was compromised, which regulations apply, which authorities must be notified, and the deadline for each. Pre-draft notification letter templates for customers, employees, regulators, and business partners. When you're in the middle of an incident, drafting from scratch under deadline pressure leads to mistakes.
CISA maintains resources on incident reporting that should be part of your reference materials: https://www.cisa.gov/reporting.
5. Communications Playbook
Silence after a breach is catastrophic. Inaccurate statements are worse. Your plan needs pre-approved messaging frameworks and a clear chain of approval for external communications.
Designate a single spokesperson. Everyone else on the team — especially technical staff — should know to redirect all media and customer inquiries to that person. I've seen breaches where an engineer's off-the-cuff remark to a reporter contradicted the company's official statement, creating a credibility crisis on top of a security crisis.
Include holding statements that acknowledge the situation without overcommitting on details you haven't confirmed yet. Something like: "We are aware of a security incident, have engaged forensic experts, and are working to determine the scope. We will provide updates as our investigation progresses."
6. Post-Incident Review Process
After the Colonial Pipeline ransomware attack in May 2021, the entire industry watched what happens when critical infrastructure lacks both preventive controls and post-incident resilience. Colonial paid a $4.4 million ransom — the FBI later recovered roughly $2.3 million of it — but the reputational and operational damage was done.
Your plan must include a formal post-incident review within 30 days of resolution. Document what happened, how it was detected, what worked in the response, what failed, and specific corrective actions with owners and deadlines. This isn't a blame exercise. It's how you make sure the same attack doesn't work twice.
Where Most Response Plans Fail
They Exist on Paper But Never Get Tested
A plan that sits in a SharePoint folder collecting dust isn't a plan — it's a liability. The organizations that handle breaches well run tabletop exercises at least twice a year. These are structured walkthroughs where the response team works through a realistic scenario: "It's Tuesday at 4 PM, your EDR tool flags mass file encryption on three servers in your finance department. Go."
Tabletop exercises expose gaps you can't find by reading the document. They reveal that your legal counsel doesn't know the notification timeline for your state, that your communications lead has never written a breach notification, or that your backup contact list hasn't been updated since 2019.
They Ignore the Human Element
The Verizon DBIR has consistently shown that social engineering and credential theft are the top attack vectors leading to data breaches. Your response plan must connect to your prevention strategy. If your employees can't recognize a phishing email, you'll be executing your response plan far more often than you'd like.
Building a culture of security awareness is the most cost-effective prevention measure available. Organizations that invest in cybersecurity awareness training for their workforce see measurably fewer successful social engineering attacks. Pair that with dedicated phishing awareness training for your organization that includes realistic phishing simulations, and you're addressing the root cause of most breaches before they happen.
They Don't Account for Zero Trust Principles
Many breach response plans still assume a perimeter-based security model — once you're inside the network, you're trusted. That assumption is how Marriott's attackers operated undetected for four years. Your plan should reference your zero trust architecture or, if you haven't implemented one, flag that gap as a critical finding.
Zero trust means verifying every access request regardless of source, enforcing multi-factor authentication everywhere, and implementing least-privilege access. When a breach occurs in a zero trust environment, lateral movement is harder for attackers and containment is faster for defenders.
Building Your Plan: A Practical Starting Point
If you're starting from scratch, here's the sequence I recommend:
- Week 1: Identify your incident response team members and alternates. Get their buy-in and current contact information.
- Week 2: Inventory your regulated data — where it lives, who has access, and what compliance frameworks apply.
- Week 3: Map your notification obligations by data type and jurisdiction. Engage legal counsel for this step.
- Week 4: Draft the plan document using the six components above. Keep it concise — 15-20 pages max, not including appendices.
- Week 5: Review the plan with all team members. Revise based on their input.
- Week 6: Run your first tabletop exercise. Document findings and update the plan.
Then put it on the calendar: tabletop exercises every six months, full plan review annually, and ad-hoc reviews after any significant incident or organizational change.
NIST's Computer Security Incident Handling Guide (SP 800-61 Rev. 2) is the gold standard framework for building your plan: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final.
Ransomware Demands Special Attention in Your Plan
Ransomware isn't just a technical problem — it's a business continuity crisis. The FBI's Internet Crime Complaint Center (IC3) reported over 3,700 ransomware complaints in 2021 with adjusted losses exceeding $49 million, and those numbers represent a fraction of actual incidents since many go unreported.
Your data breach response plan needs a specific ransomware annex that addresses: isolation procedures to prevent spread, backup verification and restoration processes, the decision framework for ransom payment (the FBI advises against paying but acknowledges it's a business decision), law enforcement notification via IC3, and communication with customers whose data may be exposed on leak sites.
Pre-determine your organization's position on ransom payment before you're staring at a ransom note. That decision involves your CEO, CFO, legal counsel, and insurance carrier — not your IT team under duress at midnight.
Your Plan Is Only as Good as Your Last Rehearsal
I've reviewed hundreds of incident response plans over my career. The difference between organizations that weather a breach and those that get destroyed by one comes down to three things: they wrote the plan, they practiced the plan, and they updated the plan.
The threat landscape in 2022 is more aggressive than ever. Threat actors are faster, more organized, and increasingly targeting small and mid-sized businesses that assume they're too small to be a target. The FBI IC3's 2021 report showed over $6.9 billion in reported cybercrime losses — a 64% increase over 2020.
Start building your data breach response plan this week. Not next quarter. Not after your next board meeting. This week. Inventory your team, map your data, understand your obligations, and write it down. Then test it — because the worst time to discover your plan doesn't work is when you're already bleeding data.