Cybersecurity Breach Summary
Produces structured cybersecurity breach summary documents for regulatory and compliance use. Use when drafting breach summaries, incident response reports, forensic report syntheses, board updates, or regulatory notification prep. Triggers: data breach, cybersecurity incident, breach summary, incident report, forensic analysis, notification timeline, GDPR, CCPA/CPRA, HIPAA, state breach law.
Cybersecurity Breach Summary
Legally defensible, source-attributed incident summary for executive, counsel, and regulator review.
Quick Start
- Gather incident reports, forensic analyses, system logs, and response documentation.
- Confirm privilege boundaries and confidentiality flags from counsel.
- Populate the template below with verified facts only — attribute each assertion to a source and date.
- Separate known facts from hypotheses or open questions.
Template
# Executive Overview
- Discovery date/time (timezone):
- Incident window (earliest to latest evidence):
- Incident type / attack vector:
- Affected systems:
- Data categories involved:
- Estimated affected individuals:
- Current status (contained/ongoing):
- Immediate actions taken:
- Material business impact:
# Incident Timeline
| Date/Time (TZ) | Event | Source (doc + date) | Owner | Confidence |
|---|---|---|---|---|
# Technical Summary
- Initial access vector:
- Vulnerability or control failure:
- Lateral movement / persistence:
- Exfiltration evidence:
- Integrity/availability impacts:
# Systems Affected
| System/App | Environment | Data Stored | Impact | Status | Source |
|---|---|---|---|---|---|
# Data Impact
| Data Category | Regulated? | Population Type | Est. Count | Jurisdictions | Source |
|---|---|---|---|---|---|
# Affected Population
| Population | Est. Count | Jurisdictions | Notes |
|---|---|---|---|
# Response Actions
| Action | Date | Owner | Status | Source |
|---|---|---|---|---|
# Notifications
| Recipient | Legal Basis | Deadline | Sent Date | Method | Summary | Source |
|---|---|---|---|---|---|---|
# Legal/Regulatory Assessment
| Regime | Trigger | Deadline Rule | Status | Notes |
|---|---|---|---|---|
| GDPR Art. 33/34 [VERIFY] | | | | |
| HIPAA (45 CFR 164.400–414) [VERIFY] | | | | |
| CCPA/CPRA [VERIFY] | | | | |
| State breach laws (list states) | | | | |
# Contractual / Litigation Exposure
- Contracts with notice obligations:
- SLAs or security addenda implicated:
- Potential claims and venues:
- Preservation actions taken:
# Insurance
- Carrier/policy:
- Notice sent (date/time):
- Coverage issues or reservations:
# Open Issues
-
# Remediation
| Gap/Root Cause | Corrective Action | Owner | Due Date | Status |
|---|---|---|---|---|
# Source Map
| Fact | Source Document | Date | Page/Section |
|---|---|---|---|
Pitfalls
- Speculation: Label unknowns explicitly. Do not opine on liability — describe exposure factors only.
- Timezone drift: Use consistent date/time with timezone; maintain a single chronological basis.
- Jurisdiction scope: List all jurisdictions implicated by affected individuals, not just HQ location.
- Unverified citations: Mark uncertain legal citations or deadlines with
[VERIFY]. - Privilege leaks: Keep privileged content in clearly marked sections per counsel direction.
- Vague counts: Use ranges when scope is uncertain and explain the estimation basis.
No additional documents ship with this skill.
Related Skills
Data Subject Rights for AI Systems
Implements data subject rights mechanisms for AI systems including right to explanation of AI decisions, contestation procedures, human review, model…
Lawful Basis for AI Training Data
Assesses lawful basis for AI training data processing per EDPB April 2025 report on LLMs and general-purpose AI. Covers legitimate interest balancing…
Managing Consent for Analytics Cookies
Managing consent for analytics cookies and implementing privacy-preserving measurement. Covers GA4 privacy configuration, consent mode fallback behav…
Applying Privacy Design Patterns
Systematic application of the eight privacy design patterns per Hoepman: minimize, hide, separate, abstract, inform, control, enforce, and demonstrat…
User Input
[COMMUNITY] Assess EU Data Act (Regulation 2023/2854) compliance for connected products, data holders, and data processing service providers
