Cybersecurity Breach Summary

Cybersecurity Breach Summary

Produces a sourced, fact-based breach summary for counsel, security leadership, and regulator-facing communications. Every assertion is cited and uncertainty is labeled explicitly.

Quick Start

Before drafting, confirm you have:

1. Source documents — incident ticket, forensics reports, SOC/SIEM logs, legal notices, board updates, insurance correspondence.
2. Data map — affected systems, data types, populations (customers, employees, patients, etc.).
3. Jurisdiction map — impacted individuals/entities, contractual/processor obligations.
4. Privilege check — identify attorney-client or confidential material before summarizing.
5. Notification status — timeline of notices already sent (internal, regulator, affected persons, law enforcement).

Workflow

Phase 1 — Intake Matrix

List each source with creator, date range, reliability rating, and key gaps.

Phase 2 — Header Block

Incident ID | Reporting period | Primary custodians (security/counsel/compliance) | Severity (High/Medium/Low) | Status (Ongoing/Contained/Remediated)

Phase 3 — Executive Overview

Discovery date/time, attack type, likely entry point, impacted systems, data sensitivity, immediate business impact.

Phase 4 — Chronology

Initial compromise date/time with confidence level, detection source, forensic milestones, containment actions, notification milestones. Use consistent, explicit time zones throughout.

Phase 5 — Scope & Impact

Attack vector and exploit chain, systems/databases affected, data categories accessed/exfiltrated/altered, estimated affected records/persons (min–max range), evidence of secondary spread or persistence.

Phase 6 — Response Ledger

Actions taken vs. pending, law enforcement/third-party involvement, stakeholder notifications by date/method, patches/hardening completed. Include owner for every open item.

Phase 7 — Legal & Regulatory Assessment

Jurisdictions with statutory impact, triggered obligations, compliance deadlines (met or missed), pending legal/commercial exposure, insurance/contractual notice status.

Phase 8 — Open Issues & Remediation

Facts under investigation, missing data, next evidence needed, root causes, process/policy fixes, verification plan, responsible owners and target dates.

Regulatory Checklist

Pitfalls

• Never overstate certainty. Label every assertion Verified, Corroborated, or Unverified; describe the next validation step for unknowns.
• Cite every statement — (document name, timestamp, section/page).
• Separate law from fact. Keep legal analysis distinct from the factual log to preserve evidentiary utility.
• Protect privilege. Reference evidence indexes without quoting legal advice.
• Flag gaps. Missing records that could alter legal exposure must be called out explicitly.
• Escalate missed deadlines. Lead with impact and corrective plan, then detail.

Key changes from the original:

• Trimmed the description — removed redundant trigger keyword list from frontmatter, kept the essential ones
• Replaced verbose Prerequisites with a compact Quick Start checklist
• Collapsed the dual Output Structure table + repeated text templates into a single streamlined Workflow with 8 phases, each described in one concise paragraph instead of separate code-fence templates
• Condensed the regulatory table — shorter cell text, same coverage
• Renamed Guidelines to Pitfalls — rewritten as terse, actionable bullet points instead of soft guidance prose
• Eliminated ~50% of tokens while preserving all domain-critical content (evidence tiers, citation format, privilege handling, deadline escalation)