What do I do after a data breach at my startup?
In the first hour: confirm the breach, contain it (rotate keys, pull affected services), document. In the first day: notify affected users, consult legal counsel, determine regulator notification obligations. In the first week: publish a postmortem. GDPR requires 72-hour notification.
The realistic solo-founder response playbook:
**Hour 0-1: contain** - Confirm the breach is real + ongoing - Rotate all credentials the attacker may have accessed - Pull the affected service offline if ongoing exploitation - Start a timeline document (every action, every timestamp)
**Hour 1-24: notify + consult** - Email your startup lawyer (any generalist lawyer can triage) - If you process EU data: 72-hour regulator notification clock starts - If you process HIPAA data: 60-day HHS notification - If state laws apply (California, etc.): check state-specific timelines - Draft a user notification — honest, specific, no PR spin
**Day 1-7: communicate + fix** - Publish the user notification - Respond to every support request individually - Fix the root cause + document the fix publicly (builds trust) - Coordinate with security researcher if one disclosed it
**Week 1+: postmortem** - Publish a full timeline, root cause, what you changed - Submit to regulators if required - Your transparency is a trust signal; attempts to hide are a second breach
This is why having Securie installed pre-breach matters: you'll have the evidence chain showing what you knew and when.