My Company Had a Data Leak: What Do I Do Now?

The moment you find out is unlike anything else. Maybe an engineer slacks you at 11 PM. Maybe a customer emails asking why their personal information is showing up somewhere it shouldn’t. Maybe you stumble across a forum post with data that looks uncomfortably familiar. However it happens, the feeling is the same a cold drop in the stomach, a sudden narrowing of focus. Everything else on your plate disappears. This is the only thing now.

What you do in the next 72 hours matters more than almost anything that comes after. The instinct to go quiet, to gather the team privately and figure out the full scope before saying a word to anyone that instinct is understandable, and it’s often wrong.

Stop the Bleeding Before You Count the Wounds

The first operational priority is containment, not communication. You need to understand what’s still actively exposed before you can do anything else meaningful. Is the leak still ongoing? Is there an open access point a misconfigured cloud storage bucket, a compromised API key, a vendor with excessive permissions that is continuing to expose data right now? If the answer is yes or even maybe, that gets fixed first. Everything else waits.

This is where a lot of companies make their first big mistake. They convene leadership. They schedule an all-hands. They start drafting statements. Meanwhile, the actual hole in the fence is still open. Contain first. Assess second. Communicate third.

Bring in your security team or a third-party incident response firm immediately. If you don’t have an internal security team and many small companies don’t there are firms that specialize specifically in breach response. This isn’t the moment to learn as you go. Forensic expertise matters here because you need to know not just what was accessed, but how, for how long, and whether there’s any evidence the data has already been used or shared.

The Legal Reality Nobody Likes Talking About

Here’s the part that makes executives uncomfortable: depending on where your company operates and who your customers are, you may have a legal obligation to report this breach within a specific window of time and that window can be surprisingly short.

Under GDPR, if you process data belonging to European residents, you’re required to notify the relevant supervisory authority within 72 hours of becoming aware of the breach not 72 hours after you’ve fully investigated it, but 72 hours after you knew something happened. The California Consumer Privacy Act carries its own notification requirements. So does HIPAA for healthcare data, and various state-level regulations across the U.S. that have been expanding rapidly over the past several years.

Get a lawyer on the phone. Not your general counsel alone, but someone with specific data privacy and breach notification experience. The regulatory map here is genuinely complex, and the penalty for missing a required notification deadline can compound an already bad situation significantly. Legal counsel will also help you understand what “personal data” actually means under each applicable law, because the definition varies and so does the threshold for what triggers notification.

This isn’t about liability management as a cynical exercise. It’s about doing the thing you’re actually required to do, correctly and on time.

Telling Your Customers and Why Doing It Well Matters

The temptation to minimize in a breach notification is enormous. Companies write letters that are technically accurate but structured to make readers feel like nothing serious happened. The passive voice gets deployed heavily. Words like “may have been accessed” do a lot of work. Dates are omitted. The kind of data involved is described in the vaguest possible terms.

Customers see through this. More importantly, they remember it. A breach itself can damage trust but a breach notification that feels evasive or designed to protect the company rather than inform the person reading it can permanently destroy it. There’s a meaningful difference between a company that says “we had an incident, here’s exactly what happened, here’s what we know was exposed, here’s what you should do right now” and a company that sends three paragraphs of apologetic corporate language that leaves people with no idea whether their social security number is floating around a dark web forum.

Your notification should include: what happened, in plain language. What data was involved, as specifically as you can determine. The approximate timeframe. What you’ve done to contain it. What concrete steps the affected person should take whether that’s monitoring their credit, changing a password, watching for phishing attempts, or placing a fraud alert. And a real contact point for questions, not a no-reply email address.

If you have customers who are businesses rather than individuals, the outreach may need to happen via direct call, not just a templated email. A vendor breach that could expose your client’s customers downstream is a different conversation than a consumer notification.

The Internal Conversation Is Just as Important

Your employees are hearing about this. If you have any company of real size, word travels before any official communication does. People are anxious, confused, and often afraid of blame. The internal response matters.

Be straightforward with your team. Tell them what you know, acknowledge what you don’t yet know, and tell them what they should and shouldn’t say externally not to cover up, but because consistency matters and partial information creates confusion. If an employee gets a question from a customer or a reporter, they should know exactly who to direct it to. They shouldn’t be left guessing.

The post-mortem process that follows and there absolutely needs to be one should feel like a search for understanding, not a search for a scapegoat. Breaches almost never happen because one person did something wrong. They happen because of systems, processes, and configurations that allowed a failure to occur. A punitive response to a breach incident tends to produce a culture where future problems get hidden rather than surfaced. That’s a far more dangerous outcome.

What Actually Needs to Change

Once the immediate crisis is contained and notifications are out, the real work begins and it’s less dramatic but more lasting than anything that came before it. Security audits, updated access controls, employee training, vendor security reviews, encryption practices, data minimization policies. These aren’t exciting projects. They don’t generate press releases. But they’re the difference between a company that had a breach and a company that keeps having them.

Data minimization is worth naming specifically because it’s consistently undervalued. The less sensitive data you’re holding, the less there is to lose. Many companies accumulate data as a kind of reflex collect now, figure out what to do with it later. Every piece of data you hold that you don’t actually need is a liability waiting to materialize. The breach becomes an uncomfortable prompt to audit what you’re actually storing and why.

Cyber insurance, if you don’t already have it, belongs on the post-incident checklist. Many policies cover breach response costs, legal fees, and notification expenses but the time to understand what your policy covers is not after the event.

The Long Arc of Recovery

Trust, once damaged, comes back slowly. There’s no announcement you can make that will erase what happened. What you can do is demonstrate, through the months and years that follow, that you took it seriously. That you made real changes, not cosmetic ones. That you communicate proactively about security rather than waiting to be forced into it.

Some customers will leave. Some will stay and watch how you handle it. Some will never know it happened. The ones who stay and watch those are the ones you’re writing your behavior for now.

A data breach is genuinely one of the worst things that can happen to a company in the information age. It’s also survivable. The companies that come out of it with their reputation intact are almost always the ones that chose transparency over damage control from the very beginning not because it felt comfortable, but because they understood that their customers deserved it.

My Company Had a Data Leak: What Do I Do Now?

Leave a Reply Cancel reply

How to Turn Your Personal Network into Your Most Powerful Acquisition Channel

Why Your Product’s Features Don’t Matter to the CFO (And What They Actually Care About)

The Secret Sauce of Premium Branding: Identity Over Utility

Inside the Mind of ‘Quiet Luxury’: Why Silence is the Ultimate Flex

We Spent $0 on Ads and Secured 50 High-Value Inbound Accounts Using LinkedIn

Do Small Businesses Really Need Enterprise-Grade Systems?

Protecting Your Code: Software Copyright Laws for Tech Founders

The Secret Prompts Top Content Creators Use to Generate Endless Ideas

Why Your Content Strategy Needs More “Unpopular Opinions

How Efficient Security Infrastructure Saves Corporate IT Budgets

Do You Really Need Paid Antivirus Software Nowadays?

How We Used Interactive Quizzes to Explode Our Lead Generation

Are Your Smart Home Devices Spying on You?

Leave a Reply Cancel reply

Related Articles

Is Your Network Team Suffering from Policy Fatigue? Here’s the Cure

99% of Network Breaches Have One Thing in Common

Don’t Fall for the “Urgent Account Suspension” Text Scam

Cryptocurrency Scams: How to Keep Your Digital Wallet Safe