Emergency Breach Response Plan

BUSINESS BASICS

Business Name:

Date Last Updated:

Number of Employees:

Primary Business Address:

TEXAS SB2610 SAFE HARBOR COMPLIANCE

To qualify for protection from punitive damages, complete this section:

Tier 1 Requirements (< 20 employees):

Simplified requirements — Basic password policies, multi-factor authentication (MFA), and cybersecurity awareness training

Password Policy in Place:

Yes, we have a written password policy

Describe your password policy:

Best Practice:

NIST recommends passwords of at least 12 characters. Consider using passphrases instead of complex passwords, and avoid requiring frequent password changes unless compromise is suspected.

Multi-Factor Authentication (MFA) Implementation:

Yes, we have implemented MFA on critical systems

Which systems have MFA enabled?

Email accounts

Administrative/privileged accounts

Remote access (VPN, remote desktop)

Financial systems (banking, payroll)

Cloud services (Microsoft 365, Google Workspace, etc.)

MFA method(s) used:

Important:

MFA significantly reduces the risk of unauthorized access. At minimum, enable MFA on email and administrative accounts. SMS-based MFA is better than nothing, but authenticator apps are more secure.

Employee Cybersecurity Training:

Yes, employees receive cybersecurity awareness training

Training frequency:

Last training date:

SB2610 Requirement:

Maintain documentation that your cybersecurity program was in place at the time of any breach. This form serves as part of that documentation.

CRITICAL PASSWORDS & ACCESS

Where are passwords stored? (Password manager, locked file cabinet, safe, etc.):

Master password location/who has access:

Admin Access to Critical Systems (list systems and who has admin rights):

Cloud Service Accounts:

EMERGENCY CONTACTS (Call in this order)

1. Trusted Tech Person/IT Support:

Name:

Phone:

Email:

Company (if applicable):

2. Business Insurance Agent (Cyber Insurance):

Company & Agent Name:

Policy Number:

24/7 Claims Phone:

Agent Direct Phone:

3. Business Attorney:

Name & Firm:

Phone:

Email:

4. Bank/Financial Institution:

Institution Name:

Account Representative:

Fraud Department Phone:

BACKUP INFORMATION

Where are backups stored? (Cloud service, external drive, etc.):

How often are backups run?

Last backup test date:

Who can access/restore backups?

Backup retention period:

Test your backups quarterly!

A backup you haven't tested is a backup you don't have.

CUSTOMER/CLIENT DATA INVENTORY

Types of personal information collected:

Names and contact info

Social Security Numbers

Financial account information

Health information

Login credentials

Payment card information

Driver's license numbers

Where is customer data stored?

Approximate number of Texas customers/clients:

Total customer records:

BREACH RESPONSE PROCEDURE (NIST Framework-Based)

STEP 1: IMMEDIATE CONTAINMENT (First 0-2 hours)

DISCONNECT affected devices from internet/network. Take photos of any ransom messages or suspicious activity. DO NOT pay ransoms without consulting professionals.
CALL your emergency contacts in order listed above. Document who you called and when.
Preserve evidence. Do not delete anything. Take screenshots, save logs, note what you observed.
Document the incident - Write down everything: when discovered, what happened, who discovered it, what systems affected.
Change passwords for critical accounts from a clean, unaffected device.

Do NOT:

Delete files, restart systems (unless instructed by IT), communicate publicly about breach, or attempt to "fix it yourself" without professional help.

STEP 2: ASSESSMENT & NOTIFICATION (First 24-72 hours)

Work with your IT support/cybersecurity consultant to determine:
- What data was accessed or stolen?
- How many customers/clients are affected?
- How did the breach occur?
- What systems are compromised?
File insurance claim with your cyber insurance provider (if applicable).
Determine legal obligations:
- If 250+ Texas residents affected: Report to TX Attorney General within 30 days
- Notify affected individuals within 60 days
- Check other state requirements if you have customers in multiple states
- Industry-specific requirements (HIPAA, PCI-DSS, etc.)
Consider law enforcement notification: Contact FBI Internet Crime Complaint Center (IC3) at www.ic3.gov or call local FBI field office.
Prepare internal communications for employees about the incident and their role in response.

STEP 3: RECOVERY & REMEDIATION (Days to weeks)

Eliminate the threat: Remove malware, close vulnerabilities, rebuild compromised systems from clean backups.
Restore operations: Bring systems back online in order of priority, verify they're clean before reconnecting to network.
Notify affected individuals (if required) - Include:
- What happened and when
- What information was involved
- What you're doing about it
- What they should do (credit monitoring, password changes, etc.)
- Contact information for questions
Monitor for further compromise: Watch for unusual activity for at least 90 days.
Fulfill all legal notification requirements within required timeframes.

TEXAS BREACH NOTIFICATION CHECKLIST

Determined if 250+ Texas residents affected

Reported to TX Attorney General (within 30 days) - if 250+ affected

Notified affected individuals (within 60 days)

Notified credit bureaus (if required)

Filed FTC report (if applicable)

Checked notification requirements for other states

STEP 4: POST-INCIDENT REVIEW (Within 30 days after recovery)

Conduct lessons-learned meeting with response team:
- What worked well?
- What didn't work?
- What should we do differently?
- What gaps did we discover?
Update security controls: Implement improvements to prevent similar incidents.
Update this plan based on lessons learned.
Update cybersecurity program documentation (required for SB2610 compliance).
Conduct employee training on new procedures or identified weaknesses.
Document the entire incident and response for future reference and compliance purposes.
Review and update cyber insurance coverage if needed.

IMPORTANT RESOURCES

Texas Attorney General Data Breach Reporting: https://www.texasattorneygeneral.gov/consumer-protection/data-breach-reporting

FBI Internet Crime Complaint Center (IC3): https://www.ic3.gov

NIST Cybersecurity Resources for Small Business: https://www.nist.gov/itl/smallbusinesscyber

Texas Identity Theft Enforcement and Protection Act (ITEPA):

Texas Business & Commerce Code § 521.001 et seq.

US-CERT (Cybersecurity & Infrastructure Security Agency): https://www.cisa.gov/report
24/7 Hotline: 1-888-282-0870

ACKNOWLEDGMENT

I have reviewed this Emergency Breach Response Plan and understand the procedures:

Owner/Manager Name:

Date:

Signature:

Title:

REVIEW & UPDATE THIS PLAN:

Annually (at minimum)
After any security incident
When personnel changes occur
When systems or processes change significantly
When laws or regulations change

Next scheduled review date:

1. Trusted Tech Person/IT Support:

2. Business Insurance Agent (Cyber Insurance):

3. Business Attorney:

4. Bank/Financial Institution:

TEXAS BREACH NOTIFICATION CHECKLIST

CyberPoint Advisory