A data breach can cost a company millions of dollars in lost revenue, legal fees, and damaged reputations. This is why businesses must have a data breach protocol↗ in place to quickly identify and respond to a breach when it occurs. In this article, we'll cover the critical steps in a data breach response checklist for eCommerce sellers to minimize damage. » How do you prevent a data breach? Discover ways to protect your online store from data breaches↗ Why Protect Against Data Breaches?
Financial Loss
Talking about monetary cost alone, IBM↗ reports that data breaches can cost businesses upwards of $4.35 million. However, dealing with a data breach is rarely just a financial issue.
Damaged Brand
A data breach can also cost businesses in terms of their reputation and customer trust↗. In the digital age, customers are becoming increasingly aware of the risks of data breaches. They are less likely to do business with a company that has previously been hacked or compromised.
Increased Threat
Statista↗ also reports that the instances of data breaches continue to rise exponentially, with attacks multiplying to 15 million worldwide in 2022. That's a 167% increase from the previous year and a staggering number of data records exposed. Unfortunately, many businesses fail to protect against such breaches until it's too late. By then, a cyber attack is well underway, with hackers stealing sensitive company information or holding systems hostage with ransomware. Steps To Respond to a Data Breach So, what exactly is a data breach response checklist for eCommerce sellers? Here are the steps you should take as soon as you identify a data breach:
1. Assess the Scope of the Breach
The first step in handling a data breach is to determine exactly what was compromised, how it occurred, and who was impacted by the event. This involves assessing the extent of any damage, such as any financial loss, what records were stolen, what files have been hacked, etc. You should also establish if it's a genuine breach. Often, security software can generate false alarms that don't indicate a real threat. You must check whether you're facing an actual breach or simply need to update your security software.
2. Secure Your Operations and Fix Vulnerabilities
Once you've determined that a breach has occurred and assessed the damage, the next step is to immediately secure all operations to prevent further data loss or the breach from spreading. This may involve shutting down systems, reviewing security procedures and passwords, or limiting access to certain data. The United States Federal Trade Commission (FTC) suggests taking the following steps to secure business operations in the event of a data breach:
- Secure physical areas that may have been involved in the breach Secure computer systems, servers, and other electronics that may be related to the breach by locking them and changing access codes.
- Assemble a response team to carry out your protocol This could include legal experts, data forensics experts, IT professionals, human resources, communications, and upper management.
- Stop data loss Immediately put all affected equipment offline and place clean machines online instead. Update passwords and credentials as quickly as possible.
- Remove information the hacker may have published online If any personal data is posted on the company's website or other sites, take it down immediately.
3. Notify Affected Customers or Employees
Once you've determined the scope of the incident, you should reach out to all impacted parties as soon as possible to inform them about the data breach. This includes notifying law enforcement, who can help you investigate the breach further. The General Data Protection Regulation↗ (GDPR) and California Consumer Privacy Act↗ (CCPA) are strict laws that require businesses to notify customers of any data breaches within a specific timeframe. The GDPR requires companies to alert affected parties within 72 hours, while the CCPA requires notification as soon as the breach has been discovered. » How do you stay GDPR compliant? Learn what is a data breach under GDPR↗ Stay Proactive With Breach Response Managing a data breach can be challenging and stressful, but you must remain proactive in your approach to responding to them. The steps above are a good starting point for eCommerce sellers who want to protect their customers and businesses from the financial and reputational consequences of a data breach. Ultimately, preventing future data breaches requires having a clear and comprehensive response plan and investing in robust IT security systems to identify potential threats before they occur. » Worried about detecting data breaches? Explore PieEye's data breach protocol↗
Testing Your Incident Response Plan Before You Need It
Your data breach response checklist is only useful if your team knows how to execute it under pressure. Most eCommerce sellers create a breach protocol and then file it away, only to discover during an actual incident that key contacts are outdated, responsibilities are unclear, or critical systems weren't included in the plan.
Run a tabletop exercise at least twice per year. Gather your response team (IT, legal, customer service, management) and walk through a fictional breach scenario. Ask: Who calls the payment processor? Who drafts the customer notification? How long does it actually take to identify affected orders in your system? Where are your backup servers?
For Shopify or BigCommerce stores specifically, test your ability to quickly pull customer data exports and determine which email addresses or payment methods were exposed. Practice using your PSP's (payment service provider's) incident response hotline. Verify that your DNS records are properly documented so you can spot unauthorized changes. Walk through how you'd temporarily disable Meta Pixel or Google Analytics if those systems were compromised.
Document the results of each drill and update your checklist based on what you learned. When a real breach happens, your team will move faster because they've already practiced the motions.
Customer Communication: Beyond Legal Notification
Notifying affected customers is legally required, but how you do it determines whether they stay with your brand or leave.
Generic "We experienced a security incident" emails feel dismissive and trigger panic. Instead, be specific about what data was potentially exposed (order numbers and names, but not payment card details—those should have been tokenized anyway). Explain what you're doing to prevent recurrence, not just what you did to respond. Offer concrete next steps: free credit monitoring if personal information was exposed, or clear instructions to reset their password if account credentials were compromised.
Time your communication carefully. Don't send breach notifications on Friday afternoons or holidays when customers can't reach your support team. Ensure your customer service team is briefed and ready to answer questions. Monitor social media and review sites for conversation about the breach—respond professionally and offer direct support channels.
For DTC brands with Klaviyo or similar email platforms, verify that your email templates are tested and your sender reputation is clean before sending breach notifications. A breach notification marked as spam undermines trust further.
Documentation That Protects You Later
During a breach, chaos is normal. But every action you take—every system you shut down, every communication you send, every decision you make—should be documented in real time.
Assign one person to maintain a detailed incident log: timeline of events, decisions made, who was contacted, when, and what information was shared. Include screenshots of suspicious activity, logs from your server or eCommerce platform, and records of all notifications sent to customers and authorities. This documentation serves multiple purposes.
First, it helps law enforcement and regulators understand your response if they investigate. Second, it demonstrates that you took the breach seriously and acted reasonably—important if lawsuits follow. Third, it's invaluable for your post-breach analysis. When you review what went wrong, you'll want to know exactly how the breach unfolded and where your response faltered.
Save all communications internally (Slack, email, meeting notes) in a secure, separate location. If you're working with external counsel or forensic investigators, they'll need this paper trail. Keep these records for at least 3–5 years, even after the incident is resolved.
Post-Breach Forensics and Root Cause Analysis
Once the immediate crisis is contained and customers are notified, the real investigation begins. You need to understand how the breach happened and ensure it doesn't happen again.
Hire a third-party forensic investigator if the breach is significant. They'll examine logs, trace the attacker's path through your systems, and identify the root cause—whether it was a vulnerable plugin on your Shopify store, weak employee passwords, an unpatched server, or compromised third-party integration like a payment gateway or analytics tool.
This analysis often reveals uncomfortable truths. Maybe your web developer ignored security updates. Maybe your hosting provider wasn't backing up data properly. Maybe you were using an outdated version of your eCommerce platform. Document these findings honestly, even if they're painful. They're the foundation for fixing the actual problem.
After forensics, issue a detailed incident report to your leadership and board (if applicable). Include the root cause, timeline, financial impact, regulatory notifications required, and a remediation plan with specific deadlines. Update your vendor and integration list to identify any third parties who may have access to customer data and verify their security posture too.
The reality is that no checklist can account for every scenario. Breaches are messy, unpredictable events that test your team and systems in ways you can't fully anticipate. What you can control is how well-prepared you are before something happens, and how systematically you respond when it does. The more rigorous your incident response plan, the faster you'll contain damage and restore customer trust. Most eCommerce sellers operate without a true consent and data governance layer, which means they can't even map where all customer data lives or what tracking tools are collecting it. Building a privacy program—one that includes a consent management system—ensures you know your data landscape before a breach forces you to figure it out in panic mode.