Cyber Incident Response: 10 Lessons Learned From Thousands Of Breaches

Data breaches are no longer unprecedented events — they are an unfortunate corporate reality. The financial, legal, and reputational consequences of a breach continue to expand, and the legal framework governing response obligations has simultaneously grown increasingly complex. Drawing on lessons learned from thousands of incident responses, this GT Advisory provides a practical overview of the current threat landscape, applicable legal obligations, the wide spectrum of breach-related costs, and some of the most common and consequential mistakes companies make in responding to an incident.

Lessons Learned: 10 Mistakes Companies Make Responding to a Breach

Experience across thousands of incident responses reveals a consistent set of mistakes that organizations make, often compounding an already difficult situation. The following offers practical considerations for stakeholders working to avoid such mistakes.

1. Being Unprepared: Preparation is a key factor in breach response outcomes. Organizations that have not developed an incident response plan, designated response leaders, established a communications strategy, or conducted a tabletop exercise may face worse outcomes, including higher costs, longer containment times, greater regulatory exposure, and more significant reputational harm. Preparation is the foundation of an effective response.
2. Not Identifying Key External Vendors in Advance: Within hours of identifying a significant incident, companies impacted by a breach should consider engaging two vendors: experienced outside legal counsel and a forensic investigator. The right time to identify, vet, and establish relationships with these providers is before an incident occurs. Impacted parties should consider engaging their vendors through counsel via a three-party agreement to help preserve attorney-client privilege over the forensic investigation. Organizations should also consider reviewing their cyber insurance policies, as many include a panel of preferred vendors. Obtaining approval to use an off-panel vendor may prove easier at policy purchase than during an active incident.
3. Analysis Paralysis & Failing to Project Manage: Incident response often involves choosing among difficult options, and it generates numerous simultaneous workstreams spanning technical remediation, legal analysis, regulatory notification, customer communication, and executive briefings, among others. Too many stakeholders without a clear decision-maker may bring a response to a halt at precisely the moment when speed matters most. An effective response requires accepting the situation for what it is, identifying who has ultimate decision-making authority, and taking accountability for the consequences. Equally important is a dedicated project manager actively assigning tasks, tracking progress, and ensuring critical items do not fall through the cracks. The project manager does not need to be the decision-maker, but must be highly organized, accountable, and empowered to hold all workstreams – technical, legal, regulatory, customer, and C-level – to schedule. Without both clear decision-making authority and disciplined project management in place, critical items may get overlooked and the response may stall when speed matters most.
4. Striking the Right Balance with Customer Notifications: Waiting too long to notify key stakeholders can erode trust and signal disorganization. Many B2B customer contracts require notification within 24 to 72 hours — a timeline that may be difficult to meet without advance preparation in a major multi-customer incident. Delays also risk non-compliance with contractual and regulatory notification requirements, potentially converting what might have been a manageable incident into a separate compliance violation with its own consequences. That said, notifying a customer with only limited facts available and no clear timeline can be counterproductive. When organizations send initial notifications, they should consider setting clear and realistic expectations about what is known, what is not yet known, and when updates will be provided. The goal is to communicate credibly and with validated information. Moving too quickly can also pose issues – speed alone is not the measure of an effective notification.
5. Sloppy Communication: Confirming containment before the forensic provider is prepared to support that conclusion is a common and damaging error, as is prematurely declaring that there was no data impact or no impact to types of data or systems. In practice, reportable data is frequently present within a stolen data set, and walking back a prior statement may damage credibility with customers, regulators, and courts. The tone of breach communications may also factor into regulatory proceedings and subsequent litigation.
6. Failing to Follow Up on Customer Communications: In B2B incidents, failing to establish a regular cadence of updates — or overpromising and underdelivering on a promised update — leaves customers without information and can breed frustration and distrust. Accordingly, organizations may wish to equip front-line employees with clear talking points, and should consider including a defined escalation path for customer questions and a clear process for responding to them in breach communications plans. The initial notification is the beginning of the customer communication obligation, not the end of it.
7. Not Listening to External Experts: Outside counsel and forensic advisors engaged in a breach response have collectively managed more incidents than an internal team. While no one understands a particular organization better than its own people, external advisors bring pattern recognition developed across thousands of incidents. Organizations that follow established breach response practices — even when the guidance is inconvenient — may achieve better outcomes.
8. Refusing to Consider Engaging with a Threat Actor: While there are valid reasons not to pay a ransom or engage with an extortionist, the option warrants consideration rather than reflexive dismissal. Engaging in negotiations can buy time to investigate, remediate, and prepare a communications plan. In some cases, threat actors who believe payment is possible are more patient, and engagement sometimes results in the threat actor providing a file tree of the documents they accessed — which can be valuable for scoping the incident. If an organization decides to make a payment, they may be able to negotiate below the threat actor’s initial demand. This decision carries legal, regulatory, and reputational dimensions.
9. Failing to Report an Incident: Organizations sometimes conclude that because they cannot definitively confirm data was stolen, no notification obligation has been triggered. The downside risk of that conclusion can be significant. Exfiltrated data frequently surfaces on the dark web and is linked back to the source organization, which may result in loss of customer trust, regulatory scrutiny, and litigation. Many individuals, companies, and regulatory bodies maintain monitoring tools that flag the appearance of their data on the dark web, and the absence of confirmed exfiltration does not necessarily eliminate a reporting obligation under applicable law.
10. Overreporting: Some organizations report the loss of customer information even where no legal obligation exists. Voluntary disclosure where no legal obligation has been triggered may carry real risk. Breach class actions sometimes follow publicly reported incidents affecting more than 3,000 individuals. Organizations should consider grounding such decisions in jurisdiction-specific legal analysis that distinguishes between what an organization believes it should do and what the law requires.

Takeaways

Organizations looking to improve their cyber readiness may wish to consider the following:

• Develop, document, and regularly test an incident response plan — including designated roles, a communications strategy, and tabletop exercises — before an incident occurs.
• Pre-engage outside legal counsel and forensic vendors under retainer and establish tripartite privilege agreements in advance, not under the pressure of an active breach.
• Designate a clear decision-maker and a dedicated project manager so that competing voices do not create paralysis and no workstream falls behind.
• Understand your notification obligations across all applicable jurisdictions before a breach occurs and communicate with stakeholders credibly and with validated information.
• Base reporting decisions on legal analysis: avoid underreporting when disclosure is required and overreporting when it is not, and involve outside counsel and forensic advisors throughout.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.