When MGM Resorts got hit in September 2023, the chaos lasted ten days. Hotel room keys stopped working. Slot machines went dark. Reservation systems crashed. The estimated cost topped $100 million. And here's the part that stings — the initial compromise reportedly started with a social engineering call to the help desk. A threat actor convinced an employee to reset credentials. The rest was catastrophic. MGM had security tools. What they needed was a data breach response plan that accounted for human-layer failures and moved faster than the attackers.

This post is the playbook I wish more organizations had before the call comes in. Whether you're a 50-person company or a Fortune 500, I'll walk you through every phase of building and testing a response plan that actually holds up when things go sideways.

Why Most Data Breach Response Plans Fail Under Pressure

I've reviewed dozens of incident response documents over the years. Most share the same fatal flaw: they read like policy papers, not operational guides. When a breach hits at 2 a.m. on a Saturday, nobody's reading a 40-page PDF.

According to IBM's 2023 Cost of a Data Breach Report, the global average cost of a data breach reached $4.45 million — the highest figure the report had ever recorded. Organizations that had an incident response team and regularly tested their plan saved an average of $1.49 million compared to those that didn't.

That's not a rounding error. That's the difference between recovering and closing your doors.

The plans that fail share common traits: vague role assignments, no communication templates, untested escalation paths, and zero consideration for after-hours scenarios. The plans that work are short, specific, and rehearsed.

The 6 Phases of an Effective Data Breach Response Plan

Every credible framework — NIST, SANS, CISA — breaks incident response into phases. I've adapted these into six stages that map to what actually happens when the alarm goes off.

Phase 1: Preparation — Before Anything Goes Wrong

This is where your data breach response plan lives or dies. Preparation means you've already answered these questions:

  • Who is on the response team, and what's their after-hours contact info?
  • Who has authority to isolate systems, shut down network segments, or contact law enforcement?
  • Where are your asset inventories and network diagrams stored — offline?
  • Do you have retainer agreements with external forensics firms and legal counsel?
  • Have your employees completed cybersecurity awareness training in the last 12 months?

Preparation also means running phishing simulations regularly. Credential theft remains the number one initial attack vector according to the Verizon 2023 Data Breach Investigations Report, appearing in nearly 50% of breaches. If your people can't spot a phishing email, your plan starts with a handicap.

Phase 2: Detection and Identification

You can't respond to what you can't see. The average time to identify a breach in 2023 was 204 days, per IBM's report. That number should terrify you.

Detection depends on a combination of technical controls (SIEM, EDR, network monitoring) and human reporting. Your employees are sensors. When someone says "this email looks weird" or "I think I clicked something I shouldn't have," that's detection in action — but only if they know how to report it and feel safe doing so.

Build a simple, well-publicized internal reporting channel. Slack channel, dedicated email alias, phone number — whatever works for your culture. Then make sure every report gets triaged within a defined SLA, even if it's a false alarm.

Phase 3: Containment

Containment is where speed matters most. I break this into short-term and long-term containment.

Short-term containment happens in the first minutes and hours. Isolate affected systems. Disable compromised accounts. Block malicious IPs. The goal is to stop the bleeding without destroying evidence.

Long-term containment involves standing up clean systems, applying patches, and implementing temporary network segmentation while the investigation continues. If ransomware is involved, this phase determines whether you're looking at days of downtime or weeks.

One critical mistake I see: companies skip containment and jump straight to "wipe everything and rebuild." That destroys forensic evidence you'll need for legal obligations, insurance claims, and law enforcement cooperation.

Phase 4: Eradication

Once you've contained the threat, you need to eliminate the root cause. That means identifying every persistence mechanism — backdoors, scheduled tasks, rogue accounts, compromised credentials — and removing them.

If the initial attack came through a phishing email that led to credential theft, eradication means resetting every potentially compromised credential, revoking session tokens, and verifying that multi-factor authentication is enforced across all critical systems. If MFA wasn't in place before the breach, this is when it gets deployed. No exceptions.

Eradication also means patching the vulnerability that was exploited. If a threat actor got in through an unpatched VPN appliance, that fix can't wait for the next maintenance window.

Phase 5: Recovery

Recovery is the phase where systems come back online — carefully. Don't rush it. Bring systems back in stages, monitor them closely for signs of re-compromise, and validate data integrity before restoring user access.

This is also where your backup strategy gets tested for real. If you've been following the 3-2-1 backup rule (three copies, two different media, one offsite), recovery is painful but possible. If your backups were connected to the same network that got encrypted by ransomware, you're starting from scratch.

Phase 6: Post-Incident Review

The teams that get better are the ones that run honest post-mortems. Not blame sessions — learning sessions. What worked? What broke? Where did the plan have gaps?

Document everything. Update the plan. Then train on the updates. This phase feeds directly back into Phase 1.

What Should a Data Breach Response Plan Include?

If you're searching for what belongs in a data breach response plan, here's the concise answer. Your plan should include:

  • Defined roles and responsibilities — name specific people, not just titles
  • Contact lists — internal team, legal counsel, forensics firm, insurance carrier, law enforcement (FBI IC3, local field office), and your state attorney general's office
  • Classification criteria — how you determine severity levels and what triggers full activation
  • Communication templates — pre-drafted notifications for customers, regulators, employees, and media
  • Regulatory notification timelines — mapped to every jurisdiction where you hold personal data
  • Evidence preservation procedures — chain of custody requirements for forensic integrity
  • Recovery procedures — system restoration priority and validation steps
  • Post-incident review checklist — structured debrief and plan revision process

Keep the core document under 15 pages. Put the details in appendices.

The Notification Minefield: Timelines That Can Bury You

Breach notification laws vary wildly, and getting them wrong has real consequences. All 50 U.S. states have breach notification statutes. Many require notification within 30 to 60 days. Some are faster — Colorado requires 30 days, and some sector-specific rules are even tighter.

If you handle data from EU residents, GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach. Miss that window and you're looking at fines up to 4% of global annual revenue.

The FTC has also become more aggressive. In 2023, the FTC finalized updates to its Health Breach Notification Rule, expanding its scope to health apps and wearable tech companies. If you're collecting health-adjacent data and didn't know this rule applied to you, that's exactly the kind of gap a response plan should catch. You can review the FTC's enforcement actions at ftc.gov/enforcement.

Your plan needs a notification matrix — a single document that maps each type of data you hold to the applicable notification requirements and timelines. Legal counsel should review it annually.

Tabletop Exercises: Where Plans Get Battle-Tested

A data breach response plan you've never tested is a guess. Tabletop exercises are the closest thing to a live drill without the actual disaster.

Here's how I run them: gather the response team in a room (or video call). Present a realistic scenario — say, a phishing email compromises an HR manager's credentials, the threat actor exfiltrates a database of employee SSNs, and you discover it on a Friday afternoon when half the team is traveling.

Then walk through the plan, step by step. Who gets called first? Who authorizes the forensics firm engagement? Who drafts the employee notification? What happens when a reporter calls before you've confirmed the scope?

Run these exercises at least twice a year. CISA provides excellent resources for designing tabletop exercises at cisa.gov.

Every exercise I've facilitated has exposed at least one critical gap. Contact information was outdated. The backup admin had left the company. Legal counsel's retainer had expired. You want to find these problems on a Tuesday morning, not during an active breach.

The Human Factor: Your Biggest Variable

Technical controls matter, but the Verizon DBIR has consistently shown that the human element is involved in roughly 74% of breaches. Social engineering, phishing, credential misuse, and simple errors — these are the doors that threat actors walk through most often.

Your data breach response plan needs to account for this reality. That means investing in ongoing security awareness training, not a once-a-year compliance checkbox. It means running phishing awareness training for your organization that uses realistic scenarios and provides immediate coaching when someone falls for a simulation.

I've seen organizations cut their phishing click rates by more than half within six months of implementing consistent simulation programs. That's not just a metric — that's fewer incidents your response team has to handle.

Zero Trust Isn't Optional Anymore

A zero trust architecture won't prevent every breach, but it dramatically limits blast radius. When you assume every user, device, and network segment could be compromised, you build controls that contain damage by design.

Practically, this means:

  • Enforcing multi-factor authentication on every account, not just admin accounts
  • Implementing least-privilege access — users get only what they need
  • Segmenting networks so a compromised workstation can't reach your database servers
  • Continuously validating device health before granting access

Zero trust principles should be woven into your response plan's containment and recovery phases. If your network is flat and unsegmented, containment becomes exponentially harder.

What to Do in the First 24 Hours of a Breach

When the alarm sounds, here's the sequence that works:

Hour 0-1: Confirm the incident is real. Activate the response team. Begin containment — isolate affected systems, preserve logs, disable compromised accounts.

Hour 1-4: Engage external forensics if needed. Brief legal counsel. Start the notification timeline clock based on what you know.

Hour 4-12: Assess scope — what data was accessed, how many records, what systems are affected. Begin drafting internal communications. Brief executive leadership with facts, not speculation.

Hour 12-24: Refine scope assessment. Prepare regulatory notification drafts. Coordinate with law enforcement if criminal activity is involved — the FBI's Internet Crime Complaint Center at ic3.gov is the primary federal reporting channel. Begin planning external communications.

Every one of these steps should be pre-documented in your plan with specific names, contact details, and decision authorities. When you're sleep-deprived and under pressure, you follow the playbook — you don't improvise.

Build the Plan Before You Need It

The organizations that survive breaches with their reputation and finances intact are the ones that prepared. They built the plan. They tested it. They trained their people. They updated it when the landscape shifted.

Start today. Assign the team. Draft the document. Schedule the first tabletop exercise for this quarter. Invest in cybersecurity awareness training that actually changes behavior. Get your phishing simulation program running so your people are tested before a real threat actor tests them.

A data breach response plan isn't a document you write to satisfy an auditor. It's the difference between a controlled incident and an existential crisis. The breach is coming. The only question is whether you'll be ready.