News & Articles

Get a Cybersecurity Plan in Place: Sample Incident Response Plan

Washington State’s data breach notification law requires businesses to notify consumers as quickly as possible after a data breach. Our “Sample Incident Response Plan” is a tool to help companies create a cybersecurity plan to manage varying degrees of ongoing information security threats.


In creating your response team, consider the following roles and list the primary contact in your plan.

data security

  • Privacy Principal
  • Technical Lead
  • Internal Security Specialist
  • External Security Specialist
  • External Legal Counsel
  • Compliance
  • Public Relations

Step 1 – Defense and System Awareness 

  • Internal systems monitoring:
    • Software and Applications, what are they, what systems to those programs monitor, how to they alert Internal Security Specialist to potential threats.
  • Technology Asset Inventory:
    • Where is the location and identity of company assets for full impact analysis?
    • Update the inventory. Track and document hardware, software and leased assets.  Employee- owned devices, hosting or cloud services, and retired equipment are all relevant.
  • External systems monitoring:
    • Location of your confidential information and personal information. Who is accountable for security and breach monitoring

Step 2 – Identify Threats

  • Once notice of a threat is detected, identify tasks:
    • Hierarchy of Incident Response Team involvement and task assignment.
    • Quarantine systems and hardware.
    • Notice to stop normal data overrides to preserve data.
    • Incident Response Team required status checks and communications.
  • Threat Determination.
    • Identify who is in charge of clearing whether a threat is a breach or not.
    • Next steps and assignments if threat poses breach potential.

Step 3 – Impact Assessment

  • Forensic Analysis.
    • Determine scope of threat
    • Review hardware data and log files
    • Determine impacted stakeholders (e.g. staff, vendors, remote workforce and offices, etc.)
  • Determination of a breach.
    • Outside counsel involvement
  • Prioritize and establish material facts:
    • What is the impact level?
    • What data was compromised?
    • Can the source of the breach be determined and contained?
    • Has the existence of vulnerability been identified?
    • What is initial timing of the compromise and company’s first identification and response?

Step 4 – Suppress Threat

  • Engage forensic and incident response professionals to maintain data integrity. Eradicate the threat and close the vulnerability. Ensure preservation of work, log files and event traces during suppression.

Step 5 – Compliance

  • Outline steps for potential scenarios:
    • Breach but no data compromise
    • Breach with data compromise
    • Compliance with notification laws in applicable jurisdictions
  • Notification Procedures and Risk Management considerations:
    • Notify insurer
    • Notice to consumers
    • Notice to vendors and stakeholders
    • Notice to press

Step 6 – Incident Review

  • Fully collect and archive documentation relevant to incident. Engage in discussion regarding policy changes and implement policy, training and procedural changes as necessary.
  • Prepare and deliver formal executive report for stakeholders.

Click Here to Download

Teruyiki S. Olsen is a member in Ryan, Swanson & Cleveland, PLLC’s Litigation and Employment Rights, Benefits and Labor Group and can be reached at 206.326.5736 or

This article has been created by the Litigation Group at Ryan, Swanson & Cleveland, PLLC to advise of recent developments in the law. Because each situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances. Ryan, Swanson & Cleveland, PLLC is a full-service law firm located in Seattle, Washington.


Have Questions?

Get in touch today.