The first ninety minutes of an information exposure are not for explaining why it happened. They are for reducing how far it can travel.
Use this protocol when a private file, shared link, message thread, address, photograph, contact list or identity document has reached the wrong person or become publicly reachable.
Minutes 0–10: establish the object
- Name the exact object. “Data leak” is not an object; “passport scan in folder X” is.
- Record the first known exposure time, current location and person who discovered it.
- Preserve one evidence copy and a short event log before changing anything.
- Appoint one incident lead. Everyone else reports facts to that person.
Minutes 10–25: stop distribution
- Disable the link, session, mailbox rule, account or public page that is still serving the information.
- Revoke tokens and shared access connected to the exposed object.
- Ask unintended recipients to stop forwarding, retain the message and await a precise instruction.
- Do not send the sensitive object again while asking whether someone received it.
If the content is hosted by a third party, use the provider’s abuse or emergency path while an authorised person works the normal support route. Record case numbers.
Minutes 25–45: determine reach
Build a recipient and replica map. Include direct recipients, forwarding addresses, cached pages, synced devices, collaboration platforms, downloads and screenshots you can evidence. Separate confirmed reach from possible reach. Do not inflate the incident with guesses.
At the same time, classify consequence: identity misuse, physical safety, financial instruction, legal privilege, transaction confidentiality, family privacy or reputational harm. One object can create several consequences; assign an owner to each.
Minutes 45–65: make the legal and operational calls
- Notify counsel or the privacy lead with the object, reach map, containment completed and unresolved questions.
- Reset or replace any credential, identifier or verification answer exposed by the content.
- Warn the small number of people whose behaviour must change immediately.
- Prepare a neutral holding line in case an external party asks before facts are complete.
Avoid broad internal broadcasts. They create new copies and turn curiosity into distribution.
Minutes 65–90: prove closure
- Verify the original path is closed from an unauthenticated or independent account.
- Obtain deletion or access-removal evidence from recipients and providers where possible.
- Set monitoring for reuse of the exposed identifiers or narrative.
- Write the next decision time, named owner and the evidence still missing.
The 90-minute board
Keep one page with six boxes: object, exposure path, confirmed reach, consequences, containment evidence and next decision. If the team cannot fill the page, it does not yet understand the incident.
Root-cause analysis comes later. Fast containment is not reckless when the evidence copy and event log exist. It is the disciplined refusal to let explanation outrun control.
