Ten Principles for Handling a Data Breach - Before, During and After

A data breach rarely comes with a warning. One day, everything runs as usual. The next, you are responding to clients, journalists, and regulators all at once. What you do in those first hours, how you notify those affected, and what support you provide afterwards can make all the difference between a crisis that escalates, and one that is handled with credibility.

Here are ten principles that separate organizations that navigate a data breach effectively from those that do not.

Before the breach hits

1. The worst moment to build a team is during a crisis. Assemble your incident team, define roles, and run drills before you need them.
2. Brief your people before someone else does as your employees are your first audience. They need to know what happened, what is being done, and what to say, before an external message goes out.

When a breach hits

3. Speed matters. Accuracy matters more. One accurate message beats three corrections.
4. The words you choose are a decision. Tone signals accountability, or the lack of it.
5. People sense when something is being hidden, be direct. Vague language and technical jargon can cause more anger and distrust.

Ransomware

6. It is not just pay or don’t pay. Engage, gather information, then decide.
7. A breach is a moment of contact as much as a moment of crisis, use it to show those affected that you take what happened seriously.

The aftermath

8. Don’t just inform people, help them. Offer concrete guidance and active support.
9. Don’t make it a puzzle, create one dedicated page and make sure every communication points to it.
10. Don’t hide behind a chatbot, make sure there is a real person available who knows the case and listens.

Before the Breach Hits

1. The worst moment to build a team is during a crisis

Ask yourself: if a breach was discovered tomorrow morning, would you immediately know who to call and would they know exactly what to do? If you had to think about that, chances are you are not sufficiently prepared.

When a breach hits, many decisions need to be made fast, and correctly. Without a clear team structure, the wrong calls get made and valuable time is lost. Assemble an incident team with technical, legal, and communications expertise before you need it. Define who decides what, and when. Who speaks to the press? Who informs the regulator? Who handles client communication? Who coordinates with IT? Run crisis drills. When the moment comes, you will be ready.

2. Brief your people before someone else does

When a breach has occurred, organizations often focus immediately on external communication. Whilst acting externally is urgent, it is not the only thing that matters. If a breach goes public and your employees hear about it from a client or a journalist before you have told them, that is a problem in itself. An uninformed employee does not just feel left out, but they are also likely to give inconsistent answers, create confusion, and signal to the outside world that the organization is not in control.

Include your team. Brief them before the external message goes out. Give them a clear script: what do they say when a client calls? What if a journalist calls? What should they not say? Consistency starts from within. Your employees are your first line of communication, so treat them that way.

When a Breach Hits

3. Speed matters. Accuracy matters more.

In the first hours after a breach, facts are often incomplete, or simply wrong. Focusing merely on acting fast can lead to incorrect notifications, followed by corrections, followed by yet more corrections. This does not reflect responsiveness. Instead, it erodes trust. Every follow-up message amplifies the feeling that the organization does not have things under control.

Verify. Check again. Then communicate. One accurate message on day three beats three corrections on the first day. If you must communicate before all facts are clear, say so openly: “We are still investigating and will update you as soon as we have confirmed information.”

4. Tone signals accountability, or lack thereof

Notifications aimed at protection the organization, whether by blaming “sophisticated hackers” or by avoiding any responsibility, feel like evasion. These messages rarely land the way they were intended to. More often, they fuel exactly the anger they were meant to prevent.

Write as if you know the recipient and often, you do. Acknowledge what went wrong. Show what you are doing differently. Avoid clinical, detached language. “We regret to inform you” lands very differently from “We owe you a direct explanation.” You do not have to admit full liability, but there is a lot of ground between that and a cold, corporate statement. Use that ground.

5. People sense when something is being hidden

Organizations are often tempted to provide vague information, perhaps because it feels safer. But it does not help. Vague descriptions of how a breach occurred, technical language that obscures more than it explains, no explanation of why the data was still being held, and unclear timelines for resolution, all of this leaves people with more questions than answers. What was meant to be a controlled message ends up as a negative news story anyway.

Be direct. Be specific. What data was affected? How did it happen? What concrete steps have been taken? What should those affected do right now? Organizations that communicate honestly about what went wrong, even when it is uncomfortable, are remembered as trustworthy.

Ransomware: The Worst Case?

6. It is not just pay or don’t pay

When a ransomware group demands payment, the public debate narrows everything down to a binary choice: pay, or refuse. But there is more room to maneuver than that. Before deciding, consider making contact, not necessarily to pay, but perhaps to buy time, clarify exactly what was taken, or understand how this group typically operates. Different groups behave differently. Some bluff. Some negotiate. Some have published data even after payment.

More information means better decisions, a more targeted notification to those affected, and a stronger public narrative.

7. A breach is a moment of contact as much as a moment of crisis

Legally required notifications are often treated as a compliance obligation, a box to be ticked. Organizations that go beyond the minimum can however turn a crisis into something different.

A month of free service. Temporary access to identity protection tools. A voucher. A personal call from a senior team member. Something that goes beyond notifying: an acknowledgement of the impact and a genuine effort to repair it. Think about what would feel meaningful to your specific audience, whether it’s a patient, a customer, or a member. Make sure it is genuine. The difference between a genuine gesture and a consolation prize is easy to feel.

The Aftermath

8. Don’t just inform people, help them

A notification informs people what happened and often ends there. After reading it, many people are left wondering: what do I actually do now? Offer specific guidance: how to change passwords, how to set up two-factor authentication, and what steps to take if they notice suspicious activity. Set up a dedicated line that people can call with questions, not a general customer service queue, but someone who knows the case. Monitor whether stolen data is being traded on dark web forums and let people know you are doing so. That kind of active follow-through is at least as important as the notification itself.

9. Don’t make it a puzzle

After the notification, people will have questions. A buried FAQ, a generic privacy policy, or a general customer service number will not adequately answer them, as it frustrates those affected and signals that the organization is not taking it seriously.

Create a single, dedicated page for the incident and make it easy to find. Place a prominent banner on your homepage that links directly to it. State clearly when it was last updated and when the next update is expected. One place. Current information. Directly reachable. Reference that page in every piece of communication you send, every email, every letter, every social post.

10. Don’t hide behind a chatbot

Someone whose personal data has just been compromised sometimes needs to speak to a person. This cannot be replaced by an automated response or by “your question has been forwarded to our team.” And certainly not by a chatbot that offers preset answers.

What is required is a person who knows the case, who listens, and who gives a clear, honest answer. Set up a dedicated phone line with staff who know the file and understand what is at stake.

The investment is often limited. The impact on how people experience the situation is not.

Where Does Your Organization Stand?

A data breach tests more than your systems. It tests your organization’s character. Preparation, communication, and follow-through. The ten principles in this guide are not just about compliance. They are about how your organization shows up when it matters most.

Van Doorne supports organizations at every stage of a data breach, from the moment it is discovered through to full resolution, including regulator notifications, communicating with those affected, and managing any resulting claims.

We are happy to think along. Reach out to our Privacy and Data Protection Team.