PropoDoc provides self-help document templates and tools. It is not a law firm and does not provide legal advice. Learn more.
Skip to main content
Example
guide

Crisis Communication Plan Example — Data Breach Response

Example document for Crisis Communication Plan. Use this as a reference when creating your own.

Professional Review Recommended

This document may have legal or financial implications. We recommend having a qualified professional review the final version before use.

Document: Crisis Communication Plan

Example Document

Last updated 6/4/2026

Crisis Communication Plan — Data Breach Response (Northwind Ledger)

Organisation: Northwind Ledger (fictional cloud accounting service) Plan owner: Priya Nair, VP Operations Version: v2.1 Last reviewed: 9 February 2026 Next review: 9 August 2026


1. Scope and scenarios

This plan covers the scenario of unauthorised access to customer data held by Northwind Ledger. It assumes the breach is detected internally or reported by a third party, and that affected records may include names, email addresses, and billing details.

2. Severity assessment

The on-call engineer who confirmed unusual database access classified the event as Level 3 — Major: a confirmed security incident touching customer records, with notification duties likely. This triggered full team activation and executive sign-off on all external messaging.

3. Crisis team activated

RolePerson
Crisis leadPriya Nair, VP Operations
Communications leadTom Esposito, Head of Comms
SpokespersonPriya Nair
Technical leadDana Okafor, Security Engineering
Legal / complianceMarcus Lee, General Counsel
CoordinatorSophie Bright, Ops Programme Manager

4. How the response ran

Within 20 minutes of detection, Dana isolated the affected database and confirmed the scope. Sophie opened the incident log and timestamped every decision. Tom drafted a holding statement from the approved library while Marcus confirmed the 72-hour regulatory notification window had started. Priya approved the statement, and it went out through the channels below. The team agreed to update affected customers directly only once the scope was confirmed, to avoid alarming people who were not impacted.

5. Holding statement issued (first hour)

"We have identified unauthorised access to one of our systems and have taken it offline while we investigate. We are working to confirm exactly what was affected. Protecting your data is our priority. We will post a full update at status.northwindledger.example by 6:00pm today, and we will contact any affected customers directly."

6. Channels used

AudienceChannelOutcome
Customers (all)Status page + email bannerHolding statement live within 1 hour
Customers (affected)Direct emailSent after scope confirmed, with reset steps
StaffInternal chat + all-hands callBriefed not to comment externally
RegulatorFormal written notice (Legal)Filed within the 72-hour window
MediaSpokesperson (Priya) onlyAll enquiries routed to one voice

7. Outcome

The status page served as the single source of truth and was updated three times over the first day, each with a next-update time. Affected customers received direct guidance to reset passwords and enable two-factor authentication. Because the holding statement went out fast and named a clear next-update time, inbound support volume stayed manageable and coverage described the response as prompt and transparent.

8. Post-incident actions

  • Add a "scope-confirmed" customer-notification template to the holding-statement library — owner: Tom — due 3 weeks.
  • Move the team contact sheet to an offline-accessible store — owner: Sophie — due 1 week.
  • Run a tabletop exercise of this scenario each quarter — owner: Priya — ongoing.

Notes

A realistic worked example showing how a team activates, classifies severity, and issues a fast holding statement during a data breach. The company, people, and details are illustrative.

About this Example

Part of the Crisis Communication Plan document collection

Document Type

Crisis Communication Plan

Who says what, to whom, and how, when something goes wrong.

Complexity

moderate

Risk Level

medium