What to do after a data breach


There's likely two reasons you've come across this blog: one, you've recently experienced a data breach or two, you want to prepare yourself in the event of a data breach. Regardless, you've come to the right place and you're not alone. In fact, you’re probably one of over 5,200 organizations that experience a breach annually. While many security protocols are directed towards malicious outsiders, only 34% of incidents come from external actors. The remaining can come from internal events, lost and stolen devices, or third-party actors.

Misconfigured or forgotten assets leave the data breach door open and can cause you to aggregate hundreds of thousands of dollars in fines.

JupiterOne commissioned Forrester Consulting to conduct a Total Economic Impact (TEI) study to examine the potential ROI that enterprises may realize by deploying our cyber asset attack surface management (CAASM) platform. With JupiterOne, organizations can efficiently decommission ghost assets and neutralize potential risk of ungoverned assets, reducing your attack surface and thus your risk of a data breach. One JupiterOne customer used the platform to prove a recent breach was unintentional and reduced the cost of the violation by 67% with a key regulator.

What is a data breach?

The European Commission, a branch of the European Union, defines a data breach as a security incident resulting in a breach of confidentiality, availability, or integrity.

As scary as they can be, making haste decisions can end up creating larger, long-term problems for your company. Instead, act efficiently and thoughtfully to prevent further damage to your finances, your reputation, or the privacy of your customers.

Regulatory expectations should live in your head rent free

According to the Ponemon Institute, the global average cost of a data breach has increased by 12% over the past five years to reach $3.92 million. U.S. companies spend an average of $8.19 million on security incident recovery.

With numbers like that, proactively taking note of new and existing regulatory requirements and anticipating the fines you may face is a huge must. And if they don’t apply to you today, they could apply to you in the future. As you probably already know, each country, region, and/or industry has its own data privacy laws, often modeled after each other the most commonly referenced being:

  • General Data Protection Program (GDPR): The European Union’s (EU) GDPR is a robust regulation that not only advocates for stronger, preventative data protection, but also offers directions in the case that those preventative measures are breached. Under GDPR, the breach must be reported to the supervisory authority within 72 hours of becoming aware of it. The notification should include the nature and scope of the data breach, contact information or the organization’s data protection officer, potential consequences, and remediation plan.
  • The Cyber Incident Reporting for Critical Infrastructure Act of 2022: This regulation requires companies operating in “critical infrastructure sectors” to disclose their cyber incidents within 72 hours of becoming aware of it and report ransom payments within 24 hours after the payment is made.
  • California Consumer Privacy Act (CCPA): The CCPA requires businesses to give consumers a “notice at collection” that lists the categories of personal information being collected and why they need them. While there is no pre-designated timeline for reporting, the breach must still be reported as soon as possible.
  • Personal Information Protection and Electronic Documents Act (PIPEDA): Introduced in 2000, PIPEDA is a Canadian regulation that pushes private sector organizations to adhere to 10 “information principles” when collecting consumer information. Although there isn’t a required reporting period, failure to report a breach can result in $100,000 fines per violation.

Let’s dive into how you can respond appropriately and efficiently to avoid the fines and penalties.

When life is a breach, learn how to play in the sand

According to the TEI study, Forrester estimates you can save up to $5,000 per individual record in fines if you can prove a breach was unintentional. But how do you do that?

Document discovery

  • Immediately after discovering the breach, your designated Security Officer should document if the discovery was a result of exercising reasonable diligence.
  • Using a system that provides scalable continuous compliance and governance can uphold the security of your entire cyber asset universe and alert the appropriate team when something goes wrong. The JupiterOne platform helps organizations be proactive about their security and save time by allowing teams to reuse controls across multiple frameworks and policies.

Investigate the breach

  • Your Security Officer should name an individual to lead the investigation. The Security Officer should also coordinate with other teams in the organization that can assist with breach notifications and process documentation.
  • Instead of searching high and low throughout your cyber asset universe, take advantage of JupiterOne’s graph view to investigate the assets that live around your point of breach and check for vulnerabilities.

Perform a risk assessment

  • When it comes to risk assessments, it’s important to document this step thoroughly for future reference and prevention. Don’t forget to look at the assets that have a relationship with the breached assets — for cyber criminals, linked data is pure gold.
  • Consider who accessed or was given access to impermissibly used data.
  • Measure the type and scope of breached customer data.
  • Evaluate the cause of the breach and the entity responsible for the breach. Was it a customer? A partner? An internal employee? A misconfigured cloud resource?
  • Assess the risk involved, whether it be financial, reputational, or other harm. Reference your risk register if you have one compiled.
  • Once you complete your risk assessment, take note of the queries your team used and save them as alerts for the future.

Start the notification process

  • While some regulations say 72 hours and others do not specify, it’s typically better to notify sooner rather than later once you are in a position to do so. If there is a delay involved, be sure to include the reason why. All notifications should be written in plain, easy-to-understand language with a description of:
  • What happened, the date of the breach, and the date of discovery
  • The types of unsecured customer information involved
  • Any steps the customer can and should take to protect their data
  • What your company is doing to remediate the situation and protect customer data from future breaches
  • Contact information for customers to ask questions, receive additional information, or submit complaints

Educate internally

  • Once you’ve done most of the immediate damage control, be sure to conduct an internal education session on how employees can be more vigilant about their role in keeping your organization safe.


Prevention is a big part of your breach response strategy. Now that you have your risk assessment results on hand, improving where you previously faltered is a big step in the right direction. The good news is that the JupiterOne platform was made to address issues like these.

Here are a few common causes of a data breach:

  • Weak or stolen credentials: With JupiterOne, you can quickly query user credentials for signs of misuse and create an alert that automatically notifies the appropriate team member for remediation.
  • Compromised or vulnerable assets: Compromised assets are no joke, especially when they are connected to your business’ crown jewels. With JupiterOne’s relationship mapping, you are armed with crucial contextual information that can help you identify a compromised or vulnerable asset, quickly isolate it from other assets, and anticipate blast radius.
  • Third-party access, malicious insiders, or other access issues: JupiterOne lets you create a centralized inventory of user identities and permissions. Visualize access permissions in a graph view, create automatically enforced security policies, and understand the end-to-end activities of users with JupiterOne’s Security Policy Builder.
  • Mobile devices or Bring Your Own Device (BYOD) policies: Use JupiterOne’s simple configuration pane to establish a policy that each device should be bound to as well as how often it should execute.
  • Malware: Leverage JupiterOne’s range of integrations to receive continuous automatic monitoring of your entire digital universe. Quickly identify if your digital universe has been infected by malware and gauge potential blast radius of the attack.
  • Insider error: Whether they are day-to-day, monotonous tasks or time-intensive, challenging tasks, the potential for human error is always there. Use JupiterOne to automate everything from compliance, to meeting code, to data classification, and more.

Start putting preventative measures in place. Book a demo with our team today!

Tanvi Tapadia
Tanvi Tapadia

Born and raised in Raleigh, North Carolina, Tanvi is a marketer who strives to create the perfect balance between data-driven decisions and creative marketing. She is an NC State graduate who loves to explore, eat, and play with her dog Butter.

Keep Reading

Why Your Business Needs Cloud Asset Management
April 10, 2024
Why Your Business Needs Cloud Asset Management

Organizations are transitioning to the cloud faster than ever to keep up with the changing consumer and business climate. According to Gartner, by 2023, 40% of all

‘Type and go’ - New JupiterOne search bar enhancements
October 30, 2023
‘Type and go’ - New JupiterOne search bar enhancements

JupiterOne aggregates and normalizes data from hundreds of different sources so you can identify and triage security risks easily.

Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix
October 6, 2023
Identify and eliminate endpoint device security gaps using the new JupiterOne Unified Device Matrix

It seems like a simple question. “Are any of our deployed user endpoint devices missing an endpoint detection and response agent?”

15 Mar 2022
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.