Incident Response & Breach Notification Kit
Step-by-step incident response playbooks and breach notification templates for all 50 states.
Price
$69
One-time. No subscription. Use forever.
Delivered immediately after checkout — your template and guide links are emailed to you with your receipt.
Used by compliance teams at banks, fintechs, and asset managers
◆ Quick buying summary
What you get and when you can use it
- Good fit if
- You don't know your breach notification deadline off the top of your head — and in a real incident, you won't have time to look it up
- Format
- Editable workbook plus PDF/supporting guide materials where included. Instant download after checkout.
- Time to value
- Start reviewing, editing, and assigning owners the same day; customize to your organization before sharing outputs externally.
- After purchase
- After checkout, your templates and guides are available immediately and the download link is sent to your email with your Stripe receipt. No account required.
◆ What's included
- ◆ Incident response plan template
- ◆ Incident classification and severity matrix
- ◆ Breach notification letter templates
- ◆ All 50 states + DC notification requirements
- ◆ Incident timeline and tracking log
- ◆ Post-incident review template
Use rights: customize for internal business use and use outputs with your auditors, customers, bank partners, and regulators. Do not resell or redistribute the template files.
◆ Preview
See what the template covers.
Incident severity classification — Critical through Low with response times and executive notification requirements
IR RACI matrix — who does what for Detection, Containment, Eradication, and Recovery
State breach notification requirements — deadlines, thresholds, and penalties for all 50 states + DC
◆ FAQ
Frequently asked questions.
How does the all-50-states notification matrix work?
For each state and DC, the matrix shows: the notification deadline (ranging from 30 to 90 days, some "expedient"), who must be notified (consumers only, AG, or both), the threshold for triggering notification (number of residents affected), whether there's a cure period before penalties apply, and the penalty range. It's a single-lookup reference designed to be used under time pressure.
What incident types do the playbooks cover?
The kit includes step-by-step response playbooks for the 4 most common fintech incident types: unauthorized account access (hacking/credential stuffing), vendor/third-party breach, payment fraud, and data exposure (misconfiguration or insider). Each playbook follows the PICERL lifecycle — Prepare, Identify, Contain, Eradicate, Recover, Lessons Learned.
What's in the tabletop exercise kit?
The standalone tabletop kit includes a facilitator guide, 6 scenario cards (each a 1-page scenario brief with inject questions), a participant worksheet, a findings capture template, and a post-exercise action items log. It's designed to run in 90 minutes with no additional prep beyond distributing the scenario card on the day.
How does the incident severity classification work?
The severity matrix is a 2-axis assessment: Scope (how many records/accounts affected) and Impact (financial, operational, and reputational). Critical incidents require executive notification within 1 hour and regulatory notification within 24–72 hours. High incidents trigger management notification within 4 hours. The matrix auto-classifies based on your inputs.
Does the kit cover federal notification requirements, not just state?
Yes. In addition to all 50 state breach notification laws, the kit covers federal notification requirements under GLBA (FTC Safeguards Rule — notify the FTC within 30 days of a breach affecting 500+ customers), HIPAA (if applicable), and federal banking agency notification requirements (OCC, FDIC, Fed — 36-hour notification requirement for computer-security incidents under the NBER rule).
Can I use the breach notification letter templates as-is?
The templates are designed to be modified for each specific incident — they include blanks for the incident date, type of data affected, number of consumers affected, and specific steps taken. They're written in plain language designed to meet state notice content requirements. Legal review is always recommended before sending actual notifications.
Can I share completed outputs externally?
Yes. You can use completed outputs with auditors, customers, bank partners, regulators, and internal stakeholders. Customize the template for internal business use — just don't resell or redistribute the source template files.
How do I receive the files?
Checkout is handled through Stripe. After purchase, you receive the template and guide download link immediately on the confirmation page and by email, along with your Stripe receipt. No account is required.
What if it's not a fit?
Email within 30 days for a full refund, no questions asked. The guarantee is meant to remove purchase risk while you evaluate whether the template fits your use case.
● First-time buyer offer
Get 20% off your first template.
Drop your email and we'll send the code.
◆ Not ready to buy?
Start with the free Risk Register.
141 pre-populated fintech risks across 21 categories. ISO 31000 structure.
Download free Risk Register →◆ Related templates
Pairs well with.
Data Privacy Compliance Kit
Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.
Business Continuity & Disaster Recovery (BCP/DR) Kit
BCP and DR templates with BIA, recovery procedures, and a standalone tabletop exercise kit.
SOC 2 Compliance Checklist
151 controls mapped to AICPA Trust Services Criteria with evidence collection guidance.
◆ Ready when you are
Get the Incident Response & Breach Notification Kit.
Start building a defensible risk program today.