The breach containment process must also begin immediately. "Make sure the breach is not still open," Pescatore urged. "But you must also decide if you are going to try to preserve the evidence. Often, to contain a problem you have to over-write logs and audit trails that might help you find how the breach happened."

As for contacting law enforcement, "The decision is typically made by the organization's legal counsel early in the process," Pescatore noted. "But there is little to be gained by getting involved in prosecution, since it does not put data back into the database, does not save money and it does not help the customers."

In a worst-case scenario involving law enforcement, staff members will find themselves being questioned in separate rooms, often repeatedly. "Everyone starts dummying up," Taylor noted. "Everyone starts covering their asses. Everyone is suspicious of everyone else. Nothing gets done beyond crisis management." The answer, he indicated, is to rehearse the data breach response plan just like the organization rehearses its disaster recovery plan. And while rehearsing, it might be wise to coach the technology staff on how to answer lawyers' questions, Taylor noted. "The first line is to always tell the truth," he said. "The second is not to speculate or go beyond what you know, but to stick to the facts. Answer specific questions and don't volunteer anything. You may not be under oath, but what you say will be written down and then double checked with someone else."

Finally, there needs to be a post mortem analysis, to ensure that the original problem won't recur."The worst thing is to have additional breaches, or to assume that additional ones will have the same impact as the first," Ponemon warned. "One bank that we studied had a 2 percent customer churn (loss) rate in the first six months after a breach. Then there was a second breach, with some overlap with the victims of the first breach. The churn was 30 percent in the overlap population. Then about 2,000 people who were involved in those two breaches were involved in a third breach, and rate of churn among those 2,000 was nearly 100 percent."

But unless a plan has been written in advance, a fast, coherent response is unlikely. Taylor said that a data breach response plan should not be more than two pages long. It should be written in an all-day meeting, where the participants decide exactly who is going to be responsible for what activity, such as victim notification, IT forensics, public relations and the call center.They need to decide who is going to take over if a responsible party is on vacation, or if the backup person is on vacation. They need to decide how data breaches will be handled on a weekend, or a holiday, Taylor added.Additionally, the data breach plan should synch with the disaster recovery plan, and both should be rehearsed, Taylor said."Do not just put the plan on the shelf," he said. "The favorite place to live is in denial, accepting the risk and not talking about it."