If you are trying to figure out what to do after a data breach right now, here is the short answer: contain the affected systems, preserve evidence instead of wiping it, do not pay a ransom or post publicly on impulse, and get incident response and legal counsel on the phone within the first hour. California law puts a clock on your notification duties, so the decisions you make in the next 48 hours matter for both your recovery and your legal exposure. Below is an hour-by-hour playbook built for California businesses in healthcare, legal, accounting, real estate, and construction.

The first hour: stabilize and call for help

Speed and discipline matter more than perfection. In the first 60 minutes, work this list in order:

  1. Contain, do not destroy. Disconnect affected machines from the network (pull the network cable or disable Wi-Fi), but leave them powered on where possible so volatile evidence survives.
  2. Preserve evidence. Stop any cleanup or reimaging. Snapshots, logs, and the current state of the systems are what your responders and insurer will need.
  3. Do not pay or communicate rashly. Avoid replying to attacker demands, paying a ransom, or making public statements before you understand the scope.
  4. Call incident response and legal counsel. Engage your IT/security partner and a breach attorney immediately. If you carry cyber insurance, your policy likely requires you to notify the carrier first to keep coverage intact.
  5. Open a clean communication channel. Assume email and chat may be compromised. Coordinate by phone or a known-good out-of-band channel, and start a written timeline of who did what and when.

If you are mid-incident and need hands on it, you can reach our team at (213) 214-1385. For the bigger picture on attacker behavior in current campaigns, our 2025 ransomware breakdown is a useful companion read once the immediate fire is out.

Hours 1 to 4: contain and preserve

The early window is about stopping the spread without erasing the trail. Isolate affected endpoints and servers from the rest of the network and from the internet, but resist the urge to "fix it fast" by wiping and reinstalling. A wiped machine destroys the forensic evidence that tells you how attackers got in and whether they are still inside.

Capture and protect what you can: system snapshots, firewall and VPN logs, authentication logs, endpoint detection and response (EDR) alerts, and email security logs. Rotate credentials for any accounts that may be exposed, starting with administrator and remote-access accounts, and enforce multi-factor authentication if it is not already on. Disable rather than delete suspicious accounts so they remain available for investigation.

If you suspect ransomware, the U.S. government's coordinated guidance at CISA's StopRansomware walks through containment and recovery steps. A recurring pattern we see with new clients is that the breach is contained quickly but the logs needed to prove scope were already overwritten, which makes the legal phase far harder. Mature backup and recovery and centralized logging are what make this hour go smoothly.

Hours 4 to 24: scope the damage and bring in legal

Now the question shifts from "stop it" to "what was taken, and who must we tell." Work with your responders to determine which systems and data stores were touched, whether data was exfiltrated or only encrypted, and what categories of personal information were involved (names paired with Social Security numbers, driver's license numbers, financial account data, medical or health-insurance information, and so on).

Engage your breach attorney to direct the investigation, ideally so that forensic findings are produced under privilege. Notify your cyber-insurance carrier and follow their process; many carriers have panel responders and counsel they require you to use. If your business handles regulated data, the data type drives the legal timeline: protected health information triggers federal HIPAA breach rules, while almost any California resident's personal information triggers state notification law.

This is also the point to report the crime. The FBI accepts cybercrime complaints at the Internet Crime Complaint Center (IC3), and law-enforcement engagement is often expected by insurers and regulators. Reporting does not waive your other obligations, but it strengthens your position and can aid recovery.

Hours 24 to 48: the California notification clock

California is strict, and the timing rules are real. Under California's data breach notification statutes, Civil Code 1798.82 (for businesses) and Civil Code 1798.29 (for state agencies), any business that owns or licenses computerized personal information about a California resident must disclose a breach "in the most expedient time possible and without unreasonable delay" once it is discovered. There is no fixed day-count in the statute, but "without unreasonable delay" is exactly why you should not be sitting still during these 48 hours.

Two thresholds change your obligations. First, if a single breach requires notifying more than 500 California residents, you must also submit an electronic sample of the notice to the California Attorney General. The state's reporting portal and guidance live at the California DOJ / Attorney General data breach page. Second, the law specifies the content your notice must contain, so this is not a free-form email.

If protected health information is involved, federal rules stack on top of California's. Under the HHS Breach Notification Rule, covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovery, and breaches affecting 500 or more individuals must be reported to HHS and the media promptly. The official requirements are published on the HHS Breach Notification Rule page. A medical or dental practice will often be managing both clocks at once, which is why cybersecurity for healthcare in Los Angeles and similar local practices treats breach readiness as a compliance project, not just an IT one.

For a deeper walkthrough of the statutory content requirements, timing nuances, and AG submission process, see our companion guide to the California data breach notification law.

What NOT to do in the first 48 hours

The mistakes that turn a contained incident into a crisis are predictable:

How to prevent the next one

Once you are stable, the recovery should fund the prevention. The controls that consistently reduce breach impact are not exotic: enforce multi-factor authentication on every account, deploy EDR so threats are caught and contained automatically, keep tested, offline or immutable backups so ransomware cannot encrypt your only copy, and patch on a schedule. Just as important is a written incident response plan with named roles and the phone numbers you actually called this week, rehearsed at least once a year so the next event is a drill, not an emergency.

A managed approach ties these together: monitoring that surfaces an incident in hours instead of weeks, centralized logging that survives an attack, and a partner who already knows your environment when the clock starts. Our cybersecurity services and backup and recovery are built specifically for California businesses that carry sensitive client data and cannot afford a 48-hour scramble done blind.

Move fast, but move right — talk to Cobrix today

The first 48 hours after a data breach decide how the next few months go. If you are in an incident now, contain and preserve first, then get experienced help on the line. If you are reading this before anything has happened, that is the best time to build the plan. Book a free consultation with Cobrix Solutions and we will pressure-test your breach readiness before someone else does it for you.