Please ensure Javascript is enabled for purposes of website accessibility

What to Do After a Data Breach: A Nonprofit Response Guide

March 24, 2026

A data breach is one of those situations where everything suddenly feels urgent.

Someone notices something off. Emails start going around. People want answers right away.

It is a lot.

If you take one thing from this, let it be this. You do not need to solve everything in the first hour.

Start by slowing things down

The instinct is to jump in and fix it immediately.

That is usually when things get messy.

Before sending updates or making big changes, pause and figure out what you are actually looking at.

If something is clearly compromised, limit access. Disconnect systems if needed. But try not to overwrite or delete anything important.

Right now, you are just trying to keep things contained.

You do not have to figure this out alone

Most nonprofits are not set up to handle cyber incidents internally. And honestly, they should not have to be.

If you have cyber coverage, there is a good chance you already have access to a response team. Legal, forensic, communications. The people you would want in this situation.

If you do not, it is still worth bringing in outside help early.

Trying to piece it together internally usually adds pressure and slows things down.

Get a clear picture before you say too much

There is going to be pressure to communicate quickly.

That is fair. People want to know what is going on.

But it helps to understand a few basics first.

What kind of information was involved?
Is this still happening, or has it stopped?
Who could be affected?

You do not need perfect answers. Just enough clarity to speak honestly without guessing.

Be genuine in how you communicate

This part matters more than people think.

You do not need polished language. You need clear, honest updates.

It is completely okay to say you are still looking into things and will share more soon.

Most people are understanding if they feel like they are being told the truth.

There may be rules you need to follow

Depending on what was exposed, there may be legal requirements around notifications.

Some are time sensitive.

This is another moment where having the right support helps. You want to make sure you are doing things correctly, without creating more problems along the way.

Your team is going to feel it

Even if no one says it out loud, situations like this are stressful.

People may worry they caused it. Or that something bigger is coming.

A quick internal update can go a long way. Let people know what is happening and what they should or should not do.

Clarity reduces a lot of unnecessary anxiety.

Once it settles, take a step back

After things calm down, there is usually a moment where you can look at what happened.

Not to point fingers. Just to understand.

Was it a training gap? A system issue? Something small that slipped through?

Most of the time, it is fixable.

This is not as rare as it feels

It might feel like a worst case scenario, but a lot of organizations go through this at some point.

What matters is how it is handled.

A steady response builds confidence. A chaotic one makes everything harder.

Take the next step

If your organization does not have a plan for this, it is worth putting one together.

Nothing complicated. Just a basic understanding of who to call and what to do first.

Because in a moment like this, having a plan takes a lot of weight off your shoulders.

Helpful Resources for Nonprofits

If you want guidance beyond your internal team, these are trusted places to start.

Cybersecurity and Infrastructure Security Agency (CISA)
CISA offers practical, plain language guidance for responding to cyber incidents, including small organization resources.

Federal Trade Commission (FTC) Data Breach Response Guide
A step by step resource that walks through legal and practical considerations after a breach.

National Institute of Standards and Technology (NIST)
NIST provides more detailed frameworks, including incident response guidance used across many industries.

National Council of Nonprofits
Offers nonprofit specific resources, including risk management and cybersecurity best practices.

State Attorney General Offices
Most states provide breach notification requirements and timelines. These vary, so it is important to check based on where you operate.


If you have questions about how your insurance responds in a situation like this, we’re always here to help you think it through.

Published by 
Will Bauer

Recent Blog Posts

Read, Learn, Share

Risk Management
March 24, 2026

What to Do After a Data Breach: A Nonprofit Response Guide

A data breach can feel overwhelming. Taking calm, clear steps helps nonprofits respond effectively, protect trust, and recover faster.

Read Article
Property & Casualty
March 13, 2026

Cyber Liability Risks Every Nonprofit Faces in 2026

Cyber threats now affect nonprofits of every size. Understanding common risks helps protect donor data, systems, and public trust.

Read Article
Risk Management
February 27, 2026

How Board Decisions Can Increase or Reduce Organizational Risk

Nonprofit boards reduce risk by providing oversight, asking smart questions, and ensuring governance and finances stay aligned with mission.

Read Article
see all posts