What to Do After a Data Breach: Small Business Plan
Knowing what to do after a data breach as a small business saves you in the first hours. Contain, preserve evidence, fix the hole, and notify the right people.
Knowing what to do after a data breach as a small business is the difference between a bad week and a business-ending event. The first hours decide how much data leaves the building, how much evidence survives, and how much trust you keep. We help South Orange County companies — from Laguna Hills to Mission Viejo to San Clemente — work through exactly this, and the pattern is always the same: the businesses that recover well are the ones that move fast and follow a plan instead of panicking. This post is about response, not prevention. The breach already happened. Here is how we walk clients through it.
What should a small business do immediately after a data breach?
The moment you suspect a breach, take affected systems offline without wiping them, change the credentials that may be compromised, and start a written timeline of everything you do. Then assemble the people who need to act — IT, leadership, and legal — before you notify anyone outside the company. Speed matters, but so does not destroying the evidence you will need later.
Contain the breach before you do anything else
Containment comes first because every minute an attacker keeps access is more data walking out the door. The goal is to stop the bleeding without burning the crime scene.
- Disconnect, don’t destroy. Take compromised machines off the network — unplug the ethernet, disable Wi-Fi, or isolate them on a separate segment. Do not power them down or reformat them, because that erases forensic evidence.
- Lock down credentials. Reset passwords for any account that touched the affected systems, and force a reset across the organization if you are unsure of the blast radius. Turn on multi-factor authentication anywhere it is not already on.
- Pull external access. Revoke VPN sessions, API keys, and remote-access tools. Attackers love a forgotten remote-desktop port.
- Check your backups. Confirm your last clean backup exists and is not also compromised. If you are not sure your backups are solid, our guide to business data backups walks through what “good” looks like.
If this is ransomware specifically, the containment playbook is a little different — we cover it in how to protect your small business from ransomware.
Secure your systems and assemble a response team
This is the first of the three core steps the Federal Trade Commission lays out in its Data Breach Response: A Guide for Business — secure your operations. Securing operations is not a solo job. The FTC recommends mobilizing a breach response team right away, and for a small business that team is leaner but no less important.
Pull together the people who can actually make decisions:
- Leadership — someone who can authorize spending and approve outside notifications.
- IT or your managed IT provider — the people who can isolate systems and read the logs.
- Legal counsel — because notification rules are legal obligations, not IT preferences.
- A forensics resource — for a serious breach, you want an expert who can determine what was accessed without trampling the evidence.
If you do not have an internal IT team, this is the moment a managed IT partner earns their keep — having one already on retainer means you are not searching for help while the clock runs.
Preserve evidence so you can answer the hard questions
You will get asked three questions: what was taken, how did they get in, and who is affected. You can only answer them if you preserve evidence in the first hours.
- Keep a written incident log. Date, time, who did what, and what they observed. This becomes your single source of truth — and it matters if regulators or insurers ask later.
- Save the logs. Firewall, server, email, and application logs often roll over and overwrite themselves. Export and store copies somewhere safe before that happens.
- Image affected systems. Where possible, have your IT team or a forensics firm take a disk image before remediation so the original state is captured.
- Photograph and document. Screenshots of ransom notes, suspicious emails, or unusual account activity all help reconstruct the timeline.
Do not let the urge to “just clean it up and move on” destroy the proof you need to understand the breach and meet your legal duties.
Fix the vulnerability that let them in
The FTC’s second core step is fix vulnerabilities. Containment stops the current attack — fixing the root cause stops the repeat. Once forensics tells you how the attacker got in, close that door for good.
Common entry points we see across small businesses in Orange County:
- Phished credentials. A staff member handed over a password to a convincing fake login page. Training and MFA are the fix — and learning to spot phishing emails is the first line of defense.
- Unpatched software. A known vulnerability in a server, plugin, or VPN appliance that never got updated. Patch it, and put a patching schedule in place.
- Over-broad access. Too many people had access to sensitive data. Review who can reach what, and cut access down to what each role actually needs.
- Exposed services. A database or remote-desktop port open to the whole internet. Close it, or put it behind a VPN.
Verify whether protections like encryption were enabled when the breach happened — if compromised data was encrypted, your exposure and your notification obligations may both be smaller.
Notify affected people and meet your legal obligations
Notify appropriate parties is the FTC’s third core step, and it is where most small businesses get nervous. Quick, honest notification lets affected people protect themselves — freezing credit, watching accounts, changing passwords — before the stolen data gets used.
A few things to get right:
- Be clear, not slippery. The FTC warns against misleading statements or withholding details that would help people protect themselves. Say what happened, what data was involved, and what you are doing about it.
- Tell people what to do next. Point affected individuals to concrete steps, and consider directing them to IdentityTheft.gov for a recovery plan.
- Notify the right outside parties. Depending on the breach, that can include law enforcement, your cyber-insurance carrier, payment processors, and affected business partners.
On the legal side — and a quick, important note: we are an IT company, not a law firm, and this is general guidance, not legal advice. Loop in an attorney early. California has its own data breach notification law (under the California Civil Code and reinforced by the CCPA) that requires businesses to notify California residents when their unencrypted personal information is exposed, generally without unreasonable delay. If a large number of Californians are affected, you may also owe notice to the state Attorney General. The specifics — timing, content, and thresholds — depend on your situation, which is exactly why counsel belongs on the response team.
Recover, review, and write the plan you wish you’d had
Once systems are clean and notifications are out, restore from a known-good backup, monitor closely for a return attempt, and hold a short debrief while it is fresh. Ask what worked, what slowed you down, and what you would change. Then write it down. The single best outcome of a breach is a written incident response plan so the next scare is a checklist, not a crisis.
If you run a business between Irvine and Dana Point and you do not have that plan yet — or you are in the middle of an incident right now — we can help. Reach out through our managed IT services page or contact us directly, and we will help you contain the damage and build a response plan that fits how your business actually works.
- data breach
- incident response
- security
- small business
Need a hand with this?
Coastal Growth Co. is your local IT department in South Orange County. Need help, or just have a question? Reach out, no pressure.
Let's talk arrow_forward