The first 24 hours after a data breach in 2026
The legal clock on a data breach response is shorter than it used to be, and the regulators are no longer asking nicely.
The first twenty-four hours after a data breach are still the most important hours of the response, but the legal architecture around those hours has hardened considerably since most companies last looked at their incident response plan. If your written plan was drafted before December 2023, it is almost certainly out of step with at least one regulator’s expectations, and probably several.
The clock starts when discovery happens, not when the breach happens. Some intrusions are detected within minutes by an endpoint detection platform; others sit undetected for months and surface during an unrelated audit. The legal timer starts the moment a person inside the company reasonably should have known that an incident occurred. That phrase has been doing a lot of work in regulator letters lately, because companies often try to argue that discovery happened on the day senior counsel got the formal write-up, when the IT team had been triaging the issue for two weeks. State attorneys general and the SEC have stopped accepting that distinction at face value.
The substantive obligations are now layered, and they do not run on the same clocks. Under the SEC’s cybersecurity disclosure rule effective in December 2023, a public company has four business days from the determination that an incident is material to file an 8-K, and the determination itself must be made without unreasonable delay. Under HIPAA, a covered entity has sixty days from discovery to notify individuals of a breach of unsecured protected health information, and sooner if the breach involves more than five hundred residents of a single state. Under state breach notification laws (every state plus the District of Columbia has one), the deadlines range from thirty to ninety days, with several states requiring notification to the attorney general at the same time. Add the FTC’s Health Breach Notification Rule for non-HIPAA health apps, plus the GDPR’s seventy-two-hour clock for any EU resident affected, and the practical reality is that the response team is running multiple deadlines simultaneously from the same set of facts.
What this means in practice is that the first twenty-four hours have to accomplish three things in parallel. The technical team has to contain the breach, preserve forensic evidence, and avoid spoliation that will haunt the litigation later. The legal team has to identify which regimes apply, which clocks are running, and where the notification thresholds sit. The executive team has to make the materiality determination for SEC purposes if the company is public, the substantial-risk-of-harm determination for state-law purposes in many jurisdictions, and the decision about whether to engage outside breach counsel and a forensic firm under privilege. None of these can wait until the company has a complete picture, because by the time the picture is complete, the deadlines have already passed.
The single biggest gap I see when reviewing incident response plans is that they were written as if the response were sequential. Identify the breach, then contain it, then notify counsel, then assess obligations, then notify regulators, then notify individuals. The reality is that those steps run in parallel and on different clocks, and the plan needs to be built that way. The companies that survive the first twenty-four hours intact are the ones whose plans treat parallelism as the default, with named owners for each track and decision authority pre-allocated. The companies that struggle are the ones who built a plan around the assumption that the lawyers would have time to think.
The practical takeaway is to pull your written incident response plan, look at the date on it, and ask whether anything in it would change if the SEC’s four-day clock applied to your company. If your plan does not name a materiality decision-maker, a forensic firm on retainer, breach counsel on retainer, and a state-by-state notification matrix, the plan is not finished. The cost of finishing it in advance is a fraction of the cost of building it during the breach.