Your CRM gets hacked. Or your email account. Or a vendor loses your donor data. Your first instinct will be panic. Your second instinct will be: what do I do?
Having a plan in advance prevents panic and ensures you do the right things in the right order. This lecture walks you through building an incident response plan.
Why You Need a Plan Before a Breach
When you're breached, you don't have time to think. You have 30-45 days (depending on state law) to notify affected people. You have hours or days to stop the breach from getting worse. You need a plan you can execute immediately.
A good plan saves money (you know what to do, don't panic and overspend), reduces liability (you followed a reasonable process), and builds trust (you communicate clearly and quickly).
The Incident Response Checklist
Before a Breach Happens
Create an incident team: Executive Director (decision-maker), IT/security person (technical lead), CFO (budget), Communications (external messaging), Legal/Insurance (compliance).
Know your insurance: Do you have cybersecurity liability insurance? Call and ask what's covered. Get emergency contact numbers.
Document your systems: What systems hold data? Who has access? Where are backups? Write this down so when there's an emergency, you're not digging through email.
Have contact lists: Phone/email for incident team. Vendor security contacts. Lawyer. Insurance agent. Law enforcement (FBI, state attorney general). Write these down and keep a paper copy (in case email is compromised).
When You Discover a Breach (Hour 0)
- Pause and assess: How did you find it? Is the system still being accessed? Do you have evidence (logs, screenshots)? Write down when you discovered it and how.
- Notify the incident team: Call/text immediately (not email—email might be compromised). Say: "We may have a breach. All hands meeting in 30 minutes."
- Preserve evidence: Don't delete anything. Screenshots of unusual activity, log files, anything that shows how it happened.
- Isolate the compromised system: If a server is breached, disconnect it. If an email account is hacked, reset its password immediately. If your CRM is compromised, change master passwords and audit access.
- Determine scope: What data was accessed? How many people? How confident are you in this assessment?
Within 24 Hours
First meeting: Incident team meets (virtually or in-person). Review: what happened, what data was involved, what's your initial scope assessment?
Contact legal/insurance: Brief them. Ask: should we involve law enforcement? Do we have insurance coverage? What's the retention period for evidence?
Contact law enforcement: For ransomware, contact FBI (ic3.gov). For other breaches, contact your state attorney general. They often have cybercrime divisions. Ask: should we pay ransom? (Answer: no, don't, it doesn't guarantee data recovery and funds criminals.)
Hire help if needed: If you don't have IT expertise, hire a forensics firm ($5K-20K) to determine what happened, what was accessed, and how to fix it. This is worth it for serious breaches.
Days 3-7: Investigation and Notification Prep
Detailed assessment: With forensics/IT help, determine exactly what happened and what data was exposed.
Notification plan: What's your notification strategy? Who do you notify? When? How?
If data was accessed but not downloaded (they were in your system but didn't extract anything), risk is lower. If data was downloaded, risk is higher. Notify based on actual risk, not assumption.
Draft notification letter: Include: what happened (non-technical), what data was involved, what steps people should take (monitor credit, change passwords), how to contact you with questions, and resources (free credit monitoring if you're providing it).
Notify your vendor/business partners: If a vendor's breach affected you, notify any partners they have who might be impacted.
Days 7-30: Notification and Communication
Notify affected people: By mail, email, or certified mail depending on what you promised in your privacy policy. Include the notification letter and any resources.
Public statement: Issue a statement to donors/supporters (not just people affected). You want to control the narrative before news breaks. "We discovered unauthorized access to our email system on [date]. We've secured the system, determined scope, and notified affected individuals. We take security seriously and are taking [steps] to prevent this happening again."
Set up a hotline: People will have questions. Have someone (or a team) available to answer: "Did you have my data? What should I do? Who do I call?"
Notify state attorney general: Most states require notification if more than a certain number of residents were affected.
After 30 Days: Fix and Prevent
Root cause analysis: What let this happen? Unpatched system? Weak password? Phishing? Human error? Document it.
Remediation: Fix the root cause. If it was an unpatched system, patch everything. If it was a phishing email, implement email security. If it was weak password, require stronger passwords.
Post-mortem meeting: Team meets and reviews: what did we do well? What could we do better? What process changes do we make?
Update the incident response plan: Learn from this. Update your checklist, contact list, notification process.
What to Tell People When You Notify
Be honest. Be clear. Avoid jargon.
Good: "On March 1st, we discovered that hackers accessed our email system. Your name and email address were in that system. We don't have evidence that it was used, but we wanted to notify you immediately. You should change your password if you use that password elsewhere."
Bad: "A cybersecurity incident resulted in unauthorized access to our information infrastructure. We have implemented mitigation strategies and are coordinating with relevant stakeholders."
People want to know: did it happen, what data, what should I do, who do I call. Answer those four questions and you're good.
Cost of a Breach
Forensics: $5K-20K. Notification: $1K-5K (postage, call center). Legal: $5K-20K. Credit monitoring: $10-30 per person. For 500 affected people, you're looking at $20K-50K total.
Insurance often covers most of this if you have cyber liability insurance. Call your insurance broker and confirm coverage before a breach happens.
Key Takeaway
Breaches happen. Having a plan means you respond quickly, legally, and effectively. You minimize damage. You maintain trust. And you learn so it doesn't happen again.
Frequently Asked Questions
Should we pay ransom if hackers encrypt our files?
No. Paying doesn't guarantee they'll decrypt. It funds criminals. You have backups (you do, right?), so recover from backup. Report to FBI. Let law enforcement handle it. Paying makes you a target for future attacks.
What if we discover a breach weeks after it happens?
Notify immediately. Law says "without unreasonable delay," which is interpreted as ASAP once discovered, not ASAP from when it happened. Document when you discovered it, what assessment you've done, and notify within 30 days. You might be late, but notify ASAP anyway.
Do we need cyber insurance?
Yes, if you have donor data. It's cheap ($1K-5K per year depending on organization size) and covers forensics, legal, notification, credit monitoring. Worth it for peace of mind and financial protection.
Can we just delete evidence after the incident?
No. Preserve everything for legal/insurance. They need the evidence to defend you if anyone sues. Delete it only after legal says it's safe. Usually this is 2-3 years post-incident.
What if the breach involves a vendor, not us?
You still notify. It doesn't matter who caused it—if your donor data was exposed, people who trust you need to know. Work with the vendor on joint notification. You're still the face of the incident to your supporters.