Crisis Communication Plan Example — Data Breach Response
Example document for Crisis Communication Plan. Use this as a reference when creating your own.
Professional Review Recommended
This document may have legal or financial implications. We recommend having a qualified professional review the final version before use.
Document: Crisis Communication Plan
Example Document
Last updated 6/4/2026
Crisis Communication Plan — Data Breach Response (Northwind Ledger)
Organisation: Northwind Ledger (fictional cloud accounting service) Plan owner: Priya Nair, VP Operations Version: v2.1 Last reviewed: 9 February 2026 Next review: 9 August 2026
1. Scope and scenarios
This plan covers the scenario of unauthorised access to customer data held by Northwind Ledger. It assumes the breach is detected internally or reported by a third party, and that affected records may include names, email addresses, and billing details.
2. Severity assessment
The on-call engineer who confirmed unusual database access classified the event as Level 3 — Major: a confirmed security incident touching customer records, with notification duties likely. This triggered full team activation and executive sign-off on all external messaging.
3. Crisis team activated
| Role | Person |
|---|---|
| Crisis lead | Priya Nair, VP Operations |
| Communications lead | Tom Esposito, Head of Comms |
| Spokesperson | Priya Nair |
| Technical lead | Dana Okafor, Security Engineering |
| Legal / compliance | Marcus Lee, General Counsel |
| Coordinator | Sophie Bright, Ops Programme Manager |
4. How the response ran
Within 20 minutes of detection, Dana isolated the affected database and confirmed the scope. Sophie opened the incident log and timestamped every decision. Tom drafted a holding statement from the approved library while Marcus confirmed the 72-hour regulatory notification window had started. Priya approved the statement, and it went out through the channels below. The team agreed to update affected customers directly only once the scope was confirmed, to avoid alarming people who were not impacted.
5. Holding statement issued (first hour)
"We have identified unauthorised access to one of our systems and have taken it offline while we investigate. We are working to confirm exactly what was affected. Protecting your data is our priority. We will post a full update at status.northwindledger.example by 6:00pm today, and we will contact any affected customers directly."
6. Channels used
| Audience | Channel | Outcome |
|---|---|---|
| Customers (all) | Status page + email banner | Holding statement live within 1 hour |
| Customers (affected) | Direct email | Sent after scope confirmed, with reset steps |
| Staff | Internal chat + all-hands call | Briefed not to comment externally |
| Regulator | Formal written notice (Legal) | Filed within the 72-hour window |
| Media | Spokesperson (Priya) only | All enquiries routed to one voice |
7. Outcome
The status page served as the single source of truth and was updated three times over the first day, each with a next-update time. Affected customers received direct guidance to reset passwords and enable two-factor authentication. Because the holding statement went out fast and named a clear next-update time, inbound support volume stayed manageable and coverage described the response as prompt and transparent.
8. Post-incident actions
- Add a "scope-confirmed" customer-notification template to the holding-statement library — owner: Tom — due 3 weeks.
- Move the team contact sheet to an offline-accessible store — owner: Sophie — due 1 week.
- Run a tabletop exercise of this scenario each quarter — owner: Priya — ongoing.
Notes
A realistic worked example showing how a team activates, classifies severity, and issues a fast holding statement during a data breach. The company, people, and details are illustrative.
About this Example
Part of the Crisis Communication Plan document collection
Document Type
Crisis Communication Plan
Who says what, to whom, and how, when something goes wrong.