BREACHGRID · Breach Response · Recovery · Authority Contacts

If your data has been breached — read this first.

A practitioner's breach response guide, US-focused. Immediate actions, who to call, how to freeze your credit, recover your identity, and meet regulatory obligations. Not legal advice — but the operational playbook every person and IT leader should know.

⚠ If this is happening right now: Don't panic. Don't wipe devices. Don't pay anything. Isolate affected systems from the network, preserve evidence, and start the timeline below. Legal counsel and insurance carrier come before public comms.

Immediate Actions

The First 24 Hours.

Most breach outcomes are determined in the first 24 hours. The mistakes happen in the first 60 minutes — from wiping evidence, to paying ransom without authorization, to notifying the wrong parties.
1

Isolate, don't wipe

Disconnect affected systems from the network (pull the cable / disable Wi-Fi) but do not power off unless critical. Memory and running-process evidence is lost on shutdown. Your future forensic investigation depends on this.

2

Switch to out-of-band communication

Assume the attacker is reading your email. Use personal phones / Signal / in-person meetings for internal incident comms until you've confirmed the attacker is out. No email, no company chat, no shared documents.

3

Engage legal counsel FIRST

Before talking to anyone outside the core response team — loop in an attorney (ideally one familiar with cyber breach response). Legal privilege protects investigation communications. Your IR firm, your insurance claim, your regulatory filings all run through counsel.

4

Notify your cyber insurance carrier

Most policies require notification within a short window (often 24–72 hours) to preserve coverage. They'll also assign a panel IR firm — don't hire one until you've checked. Wrong firm = out-of-pocket costs.

5

Engage an incident response firm

If you don't have one on retainer, your insurance will assign one. They'll triage scope, coordinate forensics, and guide regulatory timelines. Trying to DIY a major breach is where things go permanently wrong.

6

Preserve evidence

No cleanup. No patching. No re-imaging. Nothing until forensics collects images and logs. Document decisions in a running log (date, time, decision, decider). This log becomes critical in legal proceedings.

7

Activate the IR plan. Don't improvise.

If you have a documented incident response plan, run it. If you don't, that's tomorrow's problem — today, work with counsel and the IR firm. Avoid ad-hoc decisions at the executive level.

US Authority Contacts

Who to call.

These are the authoritative US contacts. Each serves a distinct purpose — don't confuse them.

🛡️ FBI IC3

Primary federal cybercrime reporting. Wire fraud / BEC: file within 72 hours for the Financial Fraud Kill Chain.

File at ic3.gov
Phone local FBI field office

🏛️ CISA

Cybersecurity & Infrastructure Security Agency. For critical infrastructure, federal contractors, nationally significant incidents.

Report cisa.gov/report
24/7 line 1-844-Say-CISA
(1-844-729-2472)
Email report@cisa.gov

🕵️ US Secret Service

Financial cybercrime — wire fraud, business email compromise, ransomware with cryptocurrency components.

Field office secretservice.gov
Cyber Electronic Crimes
Task Force

⚖️ FTC

Consumer identity theft. Start here if you're an individual whose personal info was exposed.

Identity theft IdentityTheft.gov
Fraud report reportfraud.ftc.gov

🏦 SEC (public companies)

Publicly traded companies must disclose material cybersecurity incidents via Form 8-K within 4 business days.

Form 8-K Item 1.05
Rule Reg S-K Item 106

🏛️ State Attorney General

Each state has breach notification laws with specific AG notification requirements. California's DPA is strictest; New York SHIELD Act also significant.

Find yours naag.org

💳 IRS (tax ID theft)

If SSN was exposed and you suspect tax identity theft: file IRS Form 14039.

Hotline 1-800-908-4490
Form 14039 (ID Theft Affidavit)

🔐 Social Security Admin

If SSN exposed: report to SSA, request earnings statement review, consider new SSN in extreme cases.

Fraud hotline 1-800-269-0271
Personal Protection

Freeze your credit. All three.

Credit freezes are free since 2018 (FCRA). Freezing only one bureau is useless — criminals just use the other two. Freeze all three.

Equifax

Freeze equifax.com
Phone 1-800-349-9960

Experian

Freeze experian.com/freeze
Phone 1-888-397-3742

TransUnion

Freeze transunion.com
Phone 1-888-909-8872

Free Credit Reports

Weekly free reports since 2023.

Official source annualcreditreport.com
Personal Recovery

If your data was exposed in a breach.
  1. Check haveibeenpwned.com — search your email; see which breaches exposed you.
  2. Change passwords on the breached site first — then any other site where you reused that password (you shouldn't have, but we're dealing with reality).
  3. Turn on 2FA everywhere that offers it — prefer authenticator apps (Aegis, 1Password, Authy) over SMS.
  4. Freeze credit at all three bureaus (above).
  5. Watch bank statements and credit card activity for 6–12 months. Small charges first, then larger.
  6. Change security questions on anything sensitive. Answers are often in the same data dumps as passwords.
  7. Be aggressive with phishing filtering — breached email addresses get spammed with authentic-looking targeted phishing for weeks after.
  8. If SSN exposed: file IRS Form 14039 if you suspect tax fraud; consider new SSN only in extreme cases.
  9. Visit IdentityTheft.gov for a personalized recovery plan if identity theft has occurred.
  10. Keep a timeline of everything you did and when. You may need it for disputes, insurance claims, or legal.
Recommended Tools

Tools that actually help (personal use).

Password Managers

Free/open source Bitwarden
Sovereignty KeePassXC
UX leader 1Password

2FA Authenticator Apps

Android (open) Aegis
iOS (open) Raivo OTP
Hardware YubiKey 5, Titan

Breach Monitoring

HIBP haveibeenpwned.com
Firefox Monitor monitor.firefox.com

Email Privacy

Aliasing SimpleLogin, AnonAddy
Encrypted mail Proton, Tuta
Deep Dives · ActionGrid Articles

Read further.

Article-length breakdowns of specific scenarios: executive breach playbook, ransomware negotiation, BEC recovery, state-by-state notification, supply chain breaches, and template disclosure letters.
ActionGridMar 29, 2026

What To Do In The First 24 Hours

The calm-first playbook: isolate, preserve, engage legal, out-of-band comms — and the things you must NOT do.
ActionGridMar 23, 2026

US Cyber Authorities: Who to Call

FBI IC3, CISA, Secret Service, state AG, SEC — what each does, when to call each, and how to report effectively.
ActionGridMar 18, 2026

Credit Freezes: Step by Step

All three bureaus, walked through. Child credit freezes. When to lift. Fraud alerts vs freezes.
ActionGridMar 13, 2026

Identity Theft Recovery Workflow

The IdentityTheft.gov five-step process, police reports, credit bureau disputes, tax-related ID theft.
ActionGridMar 8, 2026

Executive Breach Response Playbook

Board notification, crisis comms, counsel, insurance, regulators — the 48-72h window that sets the trajectory.
ActionGridMar 3, 2026

GDPR Breach Notification Requirements

The 72-hour clock, DPA notification, when "high risk" triggers data subject notification, recent fine examples.
ActionGridFeb 26, 2026

Ransomware Negotiation: When NOT to Pay

OFAC sanctions lists, decryptor existence, insurance position, reconstitution economics, and "paid and still leaked" reality.
ActionGridFeb 21, 2026

Business Email Compromise Recovery

Wire fraud specifics, IC3 within 72h, bank notification, the Financial Fraud Kill Chain, recovery realities.
ActionGridFeb 16, 2026

Breach Disclosure Letter Templates

Consumer, employee, and regulatory notification templates. What to include, what to avoid, what lawyers want changed.
ActionGridFeb 11, 2026

Supply Chain Breach: Your Responsibilities

When a vendor gets breached — contract review, shared-responsibility, customer notification chain, future contract language.

Disclaimer: This page is informational only. It is not legal advice, financial advice, or a substitute for engaging counsel and qualified incident response professionals. Reporting thresholds and regulatory obligations vary by jurisdiction and industry. Always verify current requirements with your legal team.

All Posts in This Grid

10 articles · newest first

ActionGrid Mar 29, 2026

What To Do In The First 24 Hours

The calm-first playbook. Isolate, preserve, engage legal, out-of-band comms. And what you must NOT do.
ActionGrid Mar 23, 2026

US Cyber Authorities: Who to Call

FBI IC3, CISA, Secret Service, state AG, SEC. What each does, when to call, how to report effectively.
ActionGrid Mar 18, 2026

Credit Freezes: Step by Step

All three bureaus, walked through. Child credit freezes. When to lift. Fraud alerts vs. freezes.
ActionGrid Mar 13, 2026

Identity Theft Recovery Workflow

IdentityTheft.gov five-step process, police reports, credit bureau disputes, tax-related ID theft.
ActionGrid Mar 8, 2026

Executive Breach Response Playbook

Board notification, crisis comms, counsel, insurance, regulators. The 48-72h window that sets the trajectory.
ActionGrid Mar 3, 2026

GDPR Breach Notification Requirements

72-hour clock, DPA notification, when "high risk" triggers data subject notification, fine examples.
ActionGrid Feb 26, 2026

Ransomware Negotiation: When NOT to Pay

OFAC sanctions lists, decryptor existence, insurance position, "paid and still leaked" reality.
ActionGrid Feb 21, 2026

Business Email Compromise Recovery

Wire fraud specifics, IC3 within 72h, the Financial Fraud Kill Chain, recovery realities.
ActionGrid Feb 16, 2026

Breach Disclosure Letter Templates

Consumer, employee, regulatory templates. What to include, what lawyers change, real language.
ActionGrid Feb 11, 2026

Supply Chain Breach: Your Responsibilities

When your vendor gets breached. Contract review, shared-responsibility, customer notification, future language.