Data breach response plan — the first 72 hours
Last reviewed: June 2026. Generic SG playbook — not legal advice. Always engage qualified counsel.
The first 72 hours determine the size of the fine, the cost of the response, and whether you keep your customers. Below is a generic Singapore playbook organised by hour-band. Use it to draft your own incident-response runbook before you need it.
Hours 0–4: Containment
- Activate the IR team. Designated incident lead, IT/security, legal, comms, executive sponsor.
- Contain the incident. Isolate affected systems, disable compromised accounts, preserve logs (don't reimage — that destroys forensic evidence).
- Document everything. Time-stamped log of decisions, actions and findings.
- Notify your cyber insurer. Most policies require notification within 24–72 hours of becoming aware. Late notification is a common claim-denial trigger.
- Engage external IR. Your insurer will usually direct you to a panel forensic firm.
Hours 4–24: Assessment
- Determine scope. What systems? What data? How many individuals?
- Engage outside counsel. Privileged channel for legal advice + PDPC strategy.
- Preserve evidence. Forensic imaging, log retention, chain of custody.
- Assess notification triggers. Is it notifiable under PDPA Sec 26B? See our notification guide.
- Identify contractual breach-notice obligations. B2B customer contracts often require notification within 24–48 hours.
Hours 24–48: Decision & preparation
- Decide on PDPC notification. If notifiable, the 3-day clock starts from determination.
- Draft the PDPC notice. Facts, scope, categories of data, harm, remediation. See our template.
- Draft individual-notification letter. Plain English, what happened, what data, what they should do, helpline.
- Brief senior leadership and the board.
- Prepare a holding statement in case the breach goes public before you're ready.
- Stand up the customer call centre / inbox. Brief scripts; route legal questions to counsel.
Hours 48–72: Notification & execution
- File the PDPC notice via the e-service.
- Notify affected individuals. Email + post, depending on consent and contact information.
- Notify B2B customers per contractual obligations.
- Notify other regulators if applicable (MAS for FIs, MOH for healthcare, IMDA for telecoms).
- Activate credit / identity monitoring for affected individuals where appropriate.
The most common mistakes
- Notifying the cyber insurer late. Read your policy's notification clause before you have a breach.
- Wiping or rebuilding compromised systems before forensic imaging. Destroys evidence + may prejudice insurance claim.
- Public-affairs comms ahead of legal sign-off. Statements made in the first 72 hours become evidence in PDPC + civil proceedings.
- Underestimating scope. Initial assessments under-count affected individuals 70%+ of the time.
- Not running tabletop exercises. The first time you run this playbook should not be during a real breach.
Where cyber insurance covers each phase
| Phase | Typically covered |
|---|---|
| Containment (IR retainer) | Yes — usually first dollar |
| Forensic investigation | Yes — full limit or sublimit |
| Legal counsel | Yes |
| PDPC defence costs | Yes |
| PDPA financial penalty | Sublimit; depends on insurer + insurability |
| Notification costs | Yes — sublimit |
| Credit / identity monitoring | Yes — typically 12 months |
| PR / crisis management | Yes — sublimit |
| Third-party claims | Yes — liability limit |
| Business interruption | Yes — after waiting period |
Get the policy before the incident. Once you're in a breach, you're uninsurable for it. Get quotes from 8 Singapore insurers.