What happens in the first 48 hours after a breach will determine what type of response (regulatory) occurs, to what extent the damage can be mitigated, and to what extent you will be able to preserve the trust of your customers/clients. General Counsel has a critical decision-making role to play over that 48-hour period, which will be a measure of their ability to remain composed, to provide accurate information to the public, and to take advantage of an opportunity to demonstrate preparedness.
As part of our effort to assist General Counsel in understanding what they need to do in light of the changing regulatory environment in 2025, we conducted interviews with several General Counsel, including Steven Okoye, a New York-based corporate and healthcare attorney who has developed a reputation as a trusted advisor to his clients regarding navigating complex compliance issues. Mr. Okoye assists companies by protecting the privilege of their communications, managing vendor relationships, and meeting ever-changing reporting requirements under state and federal law.
The clock starts with detection.
“The first mistake companies make is waiting for confirmation,” Okoye says. If your IT team informs you about potential data access, the clock has already begun.
New privacy laws in Delaware, Iowa, and Minnesota are all taking effect in 2025; this has significantly narrowed the window for compliance with both document submission requirements and the response timeline. The state laws, like the ones that exist in California and Colorado, include an obligation for a company to write its cybersecurity policies, perform annual risk assessments of their cybersecurity programs, and provide timely notification of breaches to customers and/or regulatory bodies.
Most states mandate providing notifications to either or both parties (customers and regulatory agencies) within 30 to 60 days of the occurrence. As well, the SEC’s new cyber incident reporting regulation, which took effect in 2024, requires publicly traded companies to disclose material cyber incidents within 4 business days after determining whether the incident is material. Okoye warns that waiting on full forensic confirmation can cost valuable time. “You can’t wait for every answer. It is important to begin documenting actions, safeguarding privilege, and preparing communications promptly.
Maintaining Privilege in the Heat of a Crisis
Legal privilege is often the first casualty of a chaotic breach response. If handled incorrectly, forensic reports and internal messages can later surface in litigation.
“Every document, every meeting note can become evidence if privilege isn’t maintained,” Okoye says. “Counsel should direct the investigation, retain the forensic firm, and define the scope of work.”
This structure turns the forensic review into part of legal strategy, not a standalone technical project. In 2025, as AI-related breach investigations grow more complex, especially those involving autonomous or “agentic” AI systems, maintaining control of the investigation has become even more critical.
Okoye adds that internal communication discipline matters just as much. “People panic. They start emailing details they shouldn’t. The first instruction should be: talk to legal before talking to anyone else.”
Cross-Functional Response and Leadership
Cyber incidents often reveal whether an organization’s departments can function under stress. Legal handles privilege and compliance. IT leads containment. Public relations manages external messaging.
“When everyone works in silos, you lose time and accuracy,” Okoye says. “You need a pre-defined chain of command led by counsel.”
He recommends quarterly incident response drills involving executives, IT, communications, and HR. These tabletop exercises allow teams to practice escalation protocols before a real event occurs.
Vendor and Sector Responsibilities
Third-party vendors remain a major source of breach risk. In 2025, nearly 36 percent of reported incidents involved vendor-originated exposure. Many state laws now require ongoing vendor risk assessments and written data-handling contracts.
“Vendor agreements should include breach notification timelines and cooperation clauses,” Okoye says. “You don’t want to negotiate those terms in the middle of a crisis.”
Industry-specific rules are also expanding. Rhode Island’s insurance data security law, effective January 1, 2025, mandates that insurers implement formal security programs. Nevada and North Dakota now require financial institutions to perform risk-based monitoring as part of their cybersecurity frameworks.
“These sector rules show that regulators expect proactive management, not reactionary response,” Okoye explains.
Understanding the 2025 Regulatory Landscape
Federal oversight is still a patchwork effort. A voluntary framework for sharing cybersecurity threat information through the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) expired in October 2025, leaving unclear the future of the government-private sector relationship for sharing information on cyber threats to our nation.
At the same time, the Securities and Exchange Commission (SEC) threw out a class-action lawsuit against SolarWinds in November 2025 about certain disclosures related to AI threats; while this decision limited what investors can claim, it also made it clear that companies are expected to inform their investors about any potential AI-related cyber threats as they come up.
At the state level, eight new comprehensive privacy laws now apply in 2025, including those in Delaware, Iowa, Minnesota, Montana, Tennessee, New Jersey, and Oregon. All require reasonable safeguards, data security assessments, and documentation of breach response procedures.
Okoye notes that some states are experimenting with “carrot” incentives. “Certain new laws limit punitive damages for companies that maintain cybersecurity programs aligned with the NIST Framework. That’s a huge shift toward rewarding preparedness.”
The First 48 hours after a Breach: Steps to Take and why Time is Important
0 – 1 hour: Detection and Incident Response
Internally confirm that an incident has occurred and begin assembling your incident response team. Begin to isolate the impacted systems as quickly as possible. “Early isolation of impacted systems can limit the amount of damage caused by a breach,” according to Okoye.
“Approximately 85% of all the 2025 breaches had lateral movement inside the network.” Documenting each step will be important if you need to use this information in litigation.
1 – 6 hours: Containment and Scope of Damage
Use your attorney to hire a forensic expert to document everything related to the breach so that you may maintain privilege and preserve any evidence prior to remediating the incident. Also, communicate with key stakeholders (insurers, board members) and document who needs to be notified. In addition to the FTC’s emphasis on coordinating with law enforcement, the FTC also emphasizes documentation of evidence preservation.
6 – 24 hours: Technical and Legal Review
Identify what type of data was compromised (PII, PHI, etc.) and what triggered reporting obligations under federal and state laws. Perform a parallel review of the technical and legal aspects of the incident to identify reporting requirements. Avoid making promises you cannot keep. “Be as factual as possible when communicating with regulators; they are interested in the level of detail and whether messages have been consistent and traceable,” Okoye said.
24 – 48 hours: Notification and Remediation
Complete identification of the scope of the breach and create a notice to be sent to regulatory bodies and affected parties regarding the breach. Prepare for remediation efforts, including providing credit monitoring and/or identity theft protection services to affected individuals. As soon as possible, communicate internally with employees. “It is better to inform employees before they hear about the breach from the media,” Okoye said.
The Litigation Trends Driving Preparation
Across 2025, plaintiffs’ attorneys have filed more wiretap and biometric privacy suits tied to embedded website trackers and AI analytics tools. States, including Illinois and Washington, continue to expand private rights of action under biometric laws.
At the same time, companies adopting NIST-compliant cybersecurity programs are gaining new legal protections in some states that shield them from punitive damages. Okoye views this as a sign of balance. “The law is shifting from punishment to partnership. Regulators want to incentivize companies that take cybersecurity seriously.”
Building a Sustainable Breach Response Framework
Preparation is everything. Okoye advises companies to maintain a living incident response plan that aligns with the latest privacy laws and cybersecurity standards.
That plan should include:
- The current contact lists for legal, IT, forensics, PR, and insurance partners are available for reference.
- In master service agreements, pre-vetted vendors and law firms are included.
- The system includes escalation procedures, privilege protocols, and post-incident review steps.
“Testing your plan is what separates policy from performance,” Okoye says. “Run a tabletop every quarter, update it after every new law or major breach, and make sure executives can execute it.”
The Counsel’s Role in the New Cyber Reality
Okoye stated, “your role as General Counsel is changing, for you are no longer simply responsible for risk management but rather for building/protecting trust.”
According to Okoye, the initial 48 hours of any crisis (or incident) will determine whether that trust is built/retained.
Okoye also believes that 2025 will be a critical year for companies. He stated that “cybersecurity is no longer an IT issue, it is a governance issue.”
Boards and regulators will increasingly demand that counsel provide clear, coordinated leadership and demonstrate control over cybersecurity threats.
Okoye continues, “as threats become more sophisticated, your only real defense is preparedness.”
Steven Okoye concluded by stating, “A breach will reveal all weaknesses in your company, but preparedness, communication, and integrity can help carry you through the worst part of this storm.”
![Pinterest](https://pinterest.com/pin/create/button/?url=https://aboutinsider.com/steven-okoye/&media=https://aboutinsider.com/wp-content/uploads/2025/11/Steven-Okoye.png&description=Steven Okoye concluded by stating, "A breach will reveal all weaknesses in your company, but preparedness, communication, and integrity can){kind=link}