The PR data breach response plan: What to do at every stage

A data breach is a technical issue that almost always turns into a trust issue. That second part is where PR teams step in.

While IT investigates what happened, the story is already moving. Customers expect answers, journalists want a timeline, and employees need talking points. And in 2026, AI summaries start pulling from whatever information is public first.

That makes data breach crisis management different from most other crisis work. You are rarely dealing with a complete picture from the get-go, and you're expected to start communicating regardless.

Data breaches by the numbers:

• The Identity Theft Resource Center tracked 3,205 data compromises in 2023, a record high and a 72% increase over the previous all-time high.
• IBM’s 2025 Cost of a Data Breach Report puts the global average breach cost at USD 4.4 million, with faster identification and containment linked to lower costs.
  
  
• Verizon’s 2025 Data Breach Investigations Report analysed more than 22,000 security incidents and 12,195 confirmed data breaches, with credential abuse as one of the main culprits.

These figures show the problem is not going away soon. For PR teams, the lesson is this: you can’t own the investigation. But you must own the communications process around it.

This data breach response plan helps you do just this by breaking that process into six stages: detection, internal alignment, first response, public messaging, ongoing updates, and recovery.

What is a data breach?

A data breach happens when personal, confidential, or protected information is accessed, disclosed, lost, stolen, altered, or exposed without authorization.

That can include:

• Customer names, email addresses, phone numbers, or login details
• Financial information
• Medical or health data
• Employee records
• Passport numbers, ID numbers, or Social Security numbers
• Commercially sensitive company data
• Data exposed through a supplier, vendor, or software provider

Not every cyber incident is a data breach. A system outage, ransomware attempt, or suspicious login may not involve confirmed data exposure. But from a communications point of view, the distinction can get lost in the public court of opinion.

That is why PR should avoid overclaiming early.

“Cybersecurity incident” may be accurate while the facts are still being reviewed. “Data breach” may become accurate once unauthorized access to data is confirmed. The wording matters because it shapes customer fear, media coverage, regulatory expectations, and legal exposure.

The FTC’s breach response guide has this to say:

“The only thing worse than a data breach is multiple data breaches.”

That line may be aimed at security teams, but it hits a nerve with comms too. A poor first statement can create a second PR crisis: confusion, contradiction, and loss of trust.

What makes a data breach different from other crises?

Most crises create a reputational problem. A data breach adds legal, technical, personal, and emotional risk.

People want to know:

• Was my data stolen?
• What type of data?
• Am I at risk of identity theft?
• When did you know?
• Why did you not protect it?
• What should I do now?
• Can I still trust you?

That makes the communications job more complicated than normal. PR cannot publish vague reassurance and hope the story settles. The response has to be factual, careful, human, and regularly updated.

There are four reasons data breach crisis management is especially difficult.

1. The facts change quickly

Early information is often incomplete. The breach may involve one system, then a supplier, then a larger dataset. The number of affected people may change. The type of data exposed may change. The cause could quickly shift from a suspected phishing attack to a compromised third-party.

23andMe is a useful example. The company said in December 2023 that it had learned of unauthorized access to a number of 23andMe accounts through credential stuffing (where usernames and passwords are reused from other compromised websites). Later investigations by the UK ICO and Canada’s privacy regulator focused on how the attack unfolded and the protections in place.

The communications lesson: your first statement should create room for updates. Say what is known, what is not yet known, what is being done, and when people can expect more information.

2. Legal notification duties may apply

Under GDPR Article 33, organizations may need to notify the relevant supervisory authority within 72 hours after becoming aware of a personal data breach if the breach is likely to create risk for individuals. The Dutch Data Protection Authority also states that organizations may be obliged to report a breach to the AP (Autoriteit Persoonsgegevens) within 72 hours.

PR should align with legal, not interpret the law.

Our role is to make sure public messaging, customer notifications, media statements, executive lines, internal updates, and website content all work from the same approved facts.

3. The public story may start before the company speaks

Sometimes the first public signal is not a company statement.

Picture this: your customer support team receives three complaints about suspicious account activity. At the same time, a journalist emails asking whether your company has been affected by a supplier breach. Someone on LinkedIn posts a screenshot claiming customer data is for sale. Internally, security is still checking whether the claim is real.

That is the moment PR needs a process. Not necessarily a polished final answer, but a way to align facts, prepare a holding line, and stop five different versions of the story from circulating.

4. Operational disruption becomes part of the story

A breach can shut down systems, disrupt services, and even affect customers who were never directly exposed.

Change Healthcare is a recent example of how fast a breach can spread beyond the security team. In 2024, a cyberattack disrupted healthcare payments and claims across the United States, affecting hospitals, pharmacies, insurers, and patients. Reuters later reported that private data may have been exposed for about one-third of the US population.

The lesson for PR teams: when a breach affects daily services, communication needs to explain both the data risk and the real-world disruption.

The 6-stage data breach response plan

A good data breach response plan gives PR teams structure before the story explodes.

The aim is to communicate with enough speed, clarity, and discipline that the organization maintains credibility as the investigation develops.

Phase 1 - Detection: stay internal, gather facts, monitor signals

The first phase begins when a possible breach is detected. At this point, the communications team may only have fragments. A monitoring alert, vendor notice, or perhaps a journalist is asking whether customer data has been exposed.

PR’s job is not to diagnose the breach. It is to prepare the communications response, keep teams aligned, and make sure nobody gets ahead of the facts.

At this stage, PR should establish:

• What has been detected
• Who detected it
• Which systems or datasets may be involved
• Whether personal data may be affected
• Whether customers, employees, partners, or media are already aware
• Whether any public claims are circulating
• Who is currently investigating
• Who is authorized to approve statements

This is also the time to start a live communications log. Record what is known, when it became known, who confirmed it, what has been approved, and what has been published.

Resource Alert: Learn how to create a live feed with our Live News feature to avoid confusion while you're waiting for the facts.  Watch the webinar >>>

In a breach, your timeline becomes evidence. Journalists, regulators, customers, and internal teams will all care about when the organization knew, what it said, and how quickly it acted.

PR checklist for Phase 1

• Open a shared comms timeline
• Confirm the internal incident lead
• Identify legal, security, customer support, HR, and leadership contacts
• Start monitoring media, social, search, forums, and AI summaries
• Prepare a draft holding line for internal use
• Do not publish before facts and approvals are clear

Phase 2 - Internal alignment: align messaging with legal and IT

This is often where the response starts to break down.

The security team is still piecing together what happened, legal is reviewing what can be said, and customer-facing teams are already getting questions they cannot fully answer yet.

PR sits in the middle of the mess.

And that is exactly why the response plan matters. It gives everyone a shared process before uncertainty turns into mixed messaging.

The core group should include:

• Security or IT lead
• Legal or privacy counsel
• Communications lead
• Customer support lead
• HR or internal comms lead
• Executive sponsor
• Relevant regional or market leads

The comms lead should push for one shared fact base that answers:

• What happened?
• When was it detected?
• What data may be involved?
• Who may be affected?
• What has the organization done so far?
• What should affected people do?
• What is still being investigated?
• When will the next update come?

If those answers are not ready, say so internally. Then prepare messaging that acknowledges uncertainty without sounding evasive.

For example:

Bad line: “We take security seriously and are investigating.”

Better line: “We are investigating unauthorized access to part of our customer account environment. At this stage, we are working to confirm what data may have been involved. We will update affected customers directly as soon as we can provide verified information.”

The second version still protects the investigation, but it also gives people something concrete.

Phase 3 - First response: prepare the holding statement

A holding statement should be ready before the company has every detail. It gives the organization a controlled, factual line to use with stakeholders and affected parties while the investigation continues.

A good data breach holding statement should include:

• Acknowledgement of the incident
• Current status of the investigation
• What is known
• What is not yet confirmed
• Actions already taken
• Commitment to direct updates for affected people
• A clear place for future updates

The tone should be clear, serious, and measured. Avoid panic, vague reassurance, or over-apologizing.

You don’t need to answer every question immediately. Offer enough confirmed information for people to understand the situation and how it might affect them.

The risk is that many companies stop there and never become more specific, which can cause trust to drain away.

PR checklist for Phase 3

• Draft one approved holding statement
• Prepare internal Q&A for employees and customer teams
• Create media response lines
• Decide where the statement will live
• Prepare a brand newsroom or update page
• Set review times for the next update
• Avoid speculation about cause, scale, or affected data

Phase 4 - Public messaging: acknowledge early, share confirmed facts, set expectations

Once the organization communicates publicly, the response shifts gear.

Your stakeholders will extend the reach of your initial statement. AI and search will summarize it for new audiences. And social media may strip it of all context, boiling your carefully crafted message down to clickbait, screenshots, and memes.

That means the public message has to work hard.

It should answer five questions quickly:

1. What happened?
2. Who may be affected?
3. What information may be involved?
4. What is the organization doing?
5. What should people do now?

The FTC recommends anticipating the questions people will ask and putting clear answers somewhere easy to find. That is where an online newsroom software or dedicated breach update page becomes important. It gives journalists, customers, and other stakeholders one official source instead of scattered statements across email, social, and customer service scripts.

For PR teams, the public message should also be built for reuse. That means quotable facts for journalists, straightforward instructions for customers, and clear entities, dates, and claims for AI systems.

Weak public messaging sounds like this:

“We recently became aware of an incident that may have involved certain information. We take this matter seriously and are working diligently to address it.”

Stronger public messaging sounds like this:

“On [date], we detected unauthorized access to [system/account environment/vendor platform]. Our investigation so far indicates that [type of data] may have been involved. We have [action taken], engaged [external support/law enforcement/regulators where appropriate], and will contact affected individuals directly with steps they can take.”

Phase 5 - Managing ongoing updates: keep the cadence, handle media, correct misinformation

The first public statement rarely ends the story.

In many data breach crises, the hardest part comes after disclosure. New information appears, and the proverbial “shit” hits the fan again: more customer complaints, more journalist questions, and more AI summaries pulling from incomplete information.

Picture a retail brand that publishes its first breach statement on Monday morning. By Monday afternoon, the affected customer group has changed. By Tuesday, a trade journalist is reporting on a supplier connection. By Wednesday, customers are sharing old screenshots of the first statement as if it is still current.

Without one live source of truth, the team ends up fighting yesterday’s version of the story.

This is where a steady update rhythm matters.

A breach update page should include:

• Latest verified status
• Timeline of updates
• Who is affected
• What data may be involved
• What the company has done
• What affected people should do
• Contact details for media and customers
• Links to regulator notices or support resources where relevant

The goal is to reduce confusion. If a journalist, employee, customer, or AI tool looks for the latest official position, they should land on the same current information.

The MOVEit breach wave shows why this matters. One software vulnerability affected organizations across multiple sectors, leaving many companies to explain a breach they did not directly cause. As more organizations confirmed exposure, the story kept expanding.

That is exactly when a single, current update page that you control becomes essential. Customers rarely care where the breach began. They care whether their data was affected, what happens next, and whether your organization is being clear with them.

PR checklist for Phase 5

• Publish updates in one central place
• Add timestamps to every update
• Keep old statements accessible where appropriate
• Brief customer-facing teams before each public update
• Monitor media and social narratives
• Correct inaccurate claims quickly
• Keep spokespeople aligned on what can and cannot be said
• Avoid “no comment” where a factual process answer is possible

A better alternative to “no comment”:

“We cannot confirm that detail while the investigation is active. What we can confirm is that [verified fact]. Our next update will be published on [channel] when we have more verified information.”

Phase 6 - Resolution and learnings: close the loop publicly

A data breach response does not end when the news cycle slows down.

Your customers will want to know what happened and regulators may still investigate. Journalists may even revisit the story months later. And search results and AI summaries will continue to surface old information unless the official record is updated.

The final phase comms should close the loop and include:

• Final scope of affected data, where known
• Number or category of affected individuals, where appropriate
• Customer notification status
• Support provided, such as credit monitoring or identity protection
• Security measures taken
• Policy or process changes
• Contact routes for further questions
• A statement from an accountable leader

This is also the moment to review the communications response internally.

Ask:

• Did PR join the incident team early enough?
• Was the approval process clear?
• Did legal, security, and comms work from one fact base?
• Were customer teams briefed before public updates?
• Did the newsroom or update page carry the latest information?
• Which questions were hardest to answer?
• What misinformation appeared?
• Which response materials should be updated?

Want this resource as an easy-to-use template?

FAQ: Data breach response plan

What should be included in a data breach response plan?

A data breach response plan should define who is involved, who approves messaging, where updates are published, and how affected people will be informed. For PR teams, it should cover detection, internal alignment, first response, public messaging, ongoing updates, and post-crisis review.

How should PR teams respond to a data breach?

PR teams should gather confirmed facts, align with legal and security, prepare a holding statement, and publish clear updates from one official source. The goal is to communicate early enough to reduce confusion, without speculating or getting ahead of the investigation.

When should a company communicate publicly about a data breach?

A company should communicate publicly when it has enough verified information to acknowledge the issue clearly, or when customers, journalists, employees, or public speculation make silence more damaging. Legal notification duties may also apply, so PR should work closely with legal before publishing.

What should a data breach holding statement include?

A data breach holding statement should acknowledge the incident, explain what is being investigated, share confirmed facts, outline actions already taken, and point people to the official place for future updates. It should be clear, serious, and measured.

How do you rebuild trust after a data breach?

Rebuilding trust after a data breach means closing the loop publicly. That includes explaining what happened where possible, what actions were taken, what affected people should do, and what has changed since the incident. The response should also feed into a stronger plan for next time.

The takeaway

A data breach puts your whole organization under scrutiny.

The technical investigation and legal process matters. But the public response shapes how people understand the incident, how much they trust your organization, and whether the story becomes a controlled update or a brand reputation freefall.

The best PR teams prepare before the breach is public. They know who needs to approve the message, where updates will be published and what can be said before the full picture is available. And they know how to do all this without sounding evasive.

A good data breach response plan gives teams that structure. And when the story is moving fast, structure is what keeps the message from falling apart.

Need some help? Try our ‘Autopsy of a PR crisis’ webinar!

A data breach is a crime. But the real damage often happens after.

In this live PR crisis simulator, we reopen a data breach case and examine the communications response like a crime scene. You will inspect the evidence, follow the timeline, spot where the response broke down, and see how the situation could have been handled differently.