What should I do with records after a data breach?
A data breach changes how you must treat the affected records. The instinct to “clean up” by deleting compromised files can destroy evidence, violate retention rules, and undermine your response. The right approach is deliberate: preserve first, document everything, and resume normal lifecycle management only once obligations are clear.
Preserve, don’t purge
The moment a breach is suspected, suspend any routine destruction that touches the affected records or systems. Even if a record was eligible for disposition, deleting it during an active incident can spoliate evidence needed for investigation, regulatory reporting, and possible litigation. Issue a legal hold covering the affected datasets, related logs, and system images, and confirm that automated deletion jobs and email auto-purge rules are paused for that scope.
Identify and document what was affected
Work with security and legal teams to scope exactly which records were exposed, including what categories of personal or sensitive information they contained. Capture:
- The record types, systems, and date ranges involved
- The nature of the data (for example, identifiers, financial, or health information)
- When the exposure occurred and was discovered
- The actions taken in response
This documentation becomes a record in its own right and should be retained according to your incident-response schedule.
Meet notification and reporting duties
Many breaches trigger legal obligations to notify affected individuals, regulators, or oversight bodies, and timelines can be tight. Determine which laws apply based on your sector and the data involved, and keep records of every notice sent. Treat your breach assessment and notification log as evidence of good-faith compliance.
Handle the records themselves carefully
Do not alter the original compromised records. If you must work with the data to investigate, use copies and track chain of custody. Once the incident is closed and any holds are lifted, return the records to normal lifecycle management and dispose of them only per your approved retention schedule using secure, documented methods.
Improve your program
After resolution, review what the breach revealed about your recordkeeping: over-retained personal data, weak access controls, or incomplete inventories. Minimizing how much sensitive information you keep, and for how long, is one of the most effective ways to reduce future exposure.
For more guidance on protecting personal data across the records lifecycle, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- Privacy Act of 1974 — U.S. Department of Justice
How to cite this page
APA
RM University Editorial. (2026). What should I do with records after a data breach?. Records Management University. https://www.recordsmgmt.org/questions/what-to-do-with-records-after-a-data-breach/
MLA
RM University Editorial. "What should I do with records after a data breach?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/what-to-do-with-records-after-a-data-breach/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?