What to Do After a Data Breach? A Complete Guide for Individuals and Businesses

Data breaches are no longer rare events that happen to big corporations. According to the Identity Theft Resource Center’s 2025 Annual Data Breach Report, the United States alone recorded 3,332 data compromises in 2025 — a new all-time record, representing a 79% increase over just five years. Whether you are an individual whose information was exposed or a business that suffered an attack, what you do in the hours and days after a breach determines how much damage you actually face.

How to Know If Your Data Was Involved

When a company suffers a data breach, they are legally required to notify affected customers — but deadlines vary by state, and some companies delay disclosures, leaving people exposed longer than they should.

If you received a breach notification letter or email, read it carefully. It should tell you exactly what type of information was exposed. If the notice is vague, contact the company directly and ask. The type of information exposed determines which protective steps you need to take. Some breaches only expose email addresses. Others leak Social Security numbers, credit card details, or passwords. Knowing the difference helps you respond proportionally rather than panicking over everything at once.

You can also check the website HaveIBeenPwned.com, which tracks publicly disclosed breaches and lets you search your email address to see if it appeared in any known datasets.

Steps for Individuals to Take Immediately

Change Your Passwords Right Away

If passwords were exposed in the data breach, change them immediately. Attackers move fast, and compromised credentials lose value quickly once users reset them. Do not use the same password or a slight variation of the old one. Use a unique, strong password for each account and consider a password manager to keep track.

Turn On Two-Factor Authentication

Multifactor authentication requires you to use two or more pieces of information to prove your identity. It adds a small step to the sign-in process, but it makes it much harder for password thieves to gain access. Enable it on every account that supports it, starting with your email, bank, and any accounts that contain sensitive information.

Place a Credit Freeze or Fraud Alert

You have the right to initiate a fraud alert with all three credit bureaus. Active fraud alerts notify lenders processing credit applications in your name that you may be a victim of fraud or identity theft, and instructs them to take additional steps to verify your identity before moving ahead with the application. Fraud alerts remain on your credit report for one year, but you can renew them.

A credit freeze is stronger. It blocks anyone from opening new credit in your name entirely. You can place a freeze for free at Equifax, Experian, and TransUnion. If your Social Security number was exposed, place a credit freeze within 24 hours.

Monitor Your Accounts and Credit Reports

Keep tabs on your bank and financial accounts and set up any available alerts to notify you of activity on the account. You can check your credit report for free through all three credit bureaus at AnnualCreditReport.com. Look for accounts you do not recognize, unfamiliar addresses added to your profile, or any credit inquiries you did not initiate.

Accept Free Services Offered by the Breached Company

If a company affected by a data breach offers you free services like credit monitoring or identity theft insurance, take advantage of it. These do not waive your right to sue or join a class action — they are simply protective tools you should use while evaluating your options.

Related article: How Much Can You Get in a Data Breach Lawsuit?

Consider Whether You Have a Legal Claim

When a data breach affects thousands or even millions of people, filing one case for each person is impossible. That is where a class action lawsuit comes in. In a class action, one or more victims represent the entire group. If the case is successful, victims may receive money for damages, credit repair, and other relief.

Under the CCPA, California residents can sue a company for statutory damages of $100 to $750 per person, per incident, even without proving actual financial harm. Other states have similar protections. Consult a privacy or data breach attorney to understand what your specific situation may entitle you to. For more context on how these lawsuits work, see our coverage of the Gmail $425M Privacy Settlement and the Labcorp Data Privacy Lawsuit on AllAboutLawyer.com.

Steps for Businesses to Take After a Data Breach

Contain the Breach First

Move quickly to secure your systems and fix vulnerabilities that may have caused the breach. The only thing worse than a data breach is multiple data breaches.

Upon discovery of the breach, access to all critical data should be removed or restricted to only those who absolutely require it. This prevents cybercriminals from gaining access through employee permissions and allows time for updating firewalls, antivirus, and other security software.

Assemble Your Response Team

Assemble a team of experts to conduct a comprehensive breach response. Depending on the size and nature of your company, they may include forensics, legal, information security, information technology, operations, human resources, communications, and management. Consider hiring independent forensic investigators to help you determine the source and scope of the breach.

Document everything. Do not destroy any forensic evidence in the course of your investigation — this can hurt your legal position later.

Notify Affected Individuals and Regulators

This is where many businesses get into serious legal trouble by moving too slowly. Notification deadlines vary significantly depending on which laws apply to your business and where your customers are located.

GDPR requires notification to the supervisory authority within 72 hours of discovering a breach. HIPAA requires notification to affected individuals and HHS within 60 days. Most U.S. states require notification without unreasonable delay, typically 30 to 45 days.

As of 2026, 20 states specify numeric deadlines for consumer notification, ranging from 30 to 60 days. States requiring notification within 30 days include California, Colorado, Florida, New York, and Washington.

If the breach affects more than 500 residents of a state or jurisdiction under HIPAA, the covered entity must also notify prominent media outlets in that state. And if 1,000 or more consumers across states are affected, you must notify the three major credit bureaus — Equifax, Experian, and TransUnion.

Get Legal Counsel Immediately

A data breach is a legal event, not just a technical one. Contact a privacy attorney as soon as you discover the breach. They will help you understand which notification laws apply, draft compliant notifications, manage communications with regulators, and prepare for the class action litigation that often follows large breaches.

Under CCPA, for a breach affecting 100,000 California residents, statutory damages exposure alone runs from $10 million to $75 million — before accounting for other claims.

Patch the Vulnerability and Strengthen Security

After containing the incident and meeting your notification obligations, fix the underlying problem. This includes patching software vulnerabilities, tightening access controls, improving security configurations, changing all administrative credentials, and enforcing multi-factor authentication.

IBM’s 2025 Cost of a Data Breach Report found that companies with fully deployed security AI and automation saved an average of $1.7 million in breach costs and reduced containment time by 44%. Post-breach is the right time to invest in continuous monitoring, not just one-time fixes.

The Biggest Mistake Businesses Make

Delay. A French hospital that missed the GDPR 72-hour notification window after a ransomware attack faced a €3.2 million fine for the notification failure alone. The legal consequences of failing to notify on time are often larger than the costs of responding quickly and transparently.

According to Verizon’s 2025 Data Breach Investigations Report, third-party involvement in breaches doubled in a single year, climbing from 15% to 30% of all breaches analyzed. This means that even if the breach was not your direct fault — a vendor, payroll processor, or software provider was compromised — your notification and response obligations are the same.

What the Breach Notification Must Include

Whether you are a business drafting a notice or an individual reading one, a legally compliant breach notification should cover what happened, when it occurred, what data was exposed, the steps the company is taking to fix the situation, and what actions the affected person should take to protect themselves. Failing to include clear, actionable guidance in the notification — such as resetting passwords, enabling two-factor authentication, or monitoring financial accounts — is itself a compliance gap.

Frequently Asked Questions

How will I know if my data was breached?

 The company that suffered the breach is legally required to notify you. You may receive a letter or email. You can also proactively check HaveIBeenPwned.com with your email address to see if it has appeared in any known breached datasets.

Should I accept the free credit monitoring offered by the breached company?

 Yes. Accepting it does not give up your right to sue or join a class action. It is a protective tool, not a legal waiver.

How long do I have to file a lawsuit after a data breach?

 Statutes of limitations vary by state and by the specific law involved. Do not wait. Speak with a data breach attorney as soon as possible. Many work on a contingency basis, meaning you pay nothing unless they win.

How quickly does a business have to notify people after a breach?

 It depends on where your customers are located. GDPR requires notification within 72 hours. HIPAA requires notification within 60 days. Most U.S. states require notification within 30 to 45 days. Some states require faster action. Businesses operating across multiple states must comply with each state’s rules for that state’s residents.

What happens if a business fails to notify people on time?

Penalties can include civil fines ranging from hundreds to thousands of dollars per affected individual, class action lawsuits from affected consumers, regulatory investigations, and significant reputational damage that can impact customer trust and business relationships.

Can a small business be targeted by a data breach? 

Yes. Small and medium-sized businesses accounted for 70.5% of the data breaches identified in the Data Breach Observatory in 2025, making companies with 1 to 249 employees the most frequently targeted group.

Sources: Identity Theft Resource Center, 2025 Annual Data Breach Report; IBM, 2025 Cost of a Data Breach Report; Verizon, 2025 Data Breach Investigations Report; Federal Trade Commission, Data Breach Response Guide for Business; Privacy Rights Clearinghouse, 2026 Data Breach Notification Laws Survey; Compliquest, CCPA Data Breach Requirements Guide 2026; Foley & Lardner, State Data Breach Notification Laws Chart (March 2026)

Disclaimer: This article is for general informational purposes only and does not constitute legal advice. Breach notification requirements vary by jurisdiction, industry, and the specific facts of each incident. Consult a licensed attorney for guidance on your specific situation.