Someone calls your office and says they received a strange password-reset email. Then an employee notices a mailbox rule they did not create. Or a laptop goes missing after a client meeting.
At that point, most owners want one answer: how bad is this?
That is a fair question. It is also one you should not answer from a gut feeling. A security incident can be contained quickly. A data breach can bring in your IT provider, cyber insurance carrier, attorney, bank or payment processor, affected clients, and Wisconsin notice rules. The first few decisions matter.
This is the practical version of what a Milwaukee-area business should do next. It is not legal advice. Your attorney and, when applicable, your cyber insurance carrier should guide the legal and notification decisions for your situation.
Key Takeaways
- •Treat a suspected breach as an incident first. Contain access, preserve useful evidence, and write down what happened before details disappear.
- •Do not wipe a device, reset everything, or send a broad client notice based on a hunch. Get the right people involved first.
- •Wisconsin law can require notice within a reasonable time, no later than 45 days after an entity learns personal information was acquired without authorization.
- •Your insurer and attorney may have rules about who investigates, what you say publicly, and when notice goes out. Call them early.
The first hour: contain the problem without destroying the evidence
If a computer is actively showing ransomware, unexpected remote control, or obvious malicious activity, disconnect it from the network. Pull the Ethernet cable or turn off Wi-Fi. Do not start clicking around to see what else is broken.
Then call your IT provider or incident-response contact. If you have cyber insurance, call the carrier or use its breach hotline before bringing in outside forensic help. Policies often have specific requirements about approved counsel, investigators, and communications.
Avoid the tempting cleanup moves: factory-resetting the laptop, deleting suspicious emails, wiping logs, or changing every password without a plan. Some immediate access changes are necessary, especially for a known compromised account, but your technical team should preserve enough evidence to determine what happened and what data was involved.
First, find out whether personal information was actually exposed
Not every phishing email, malware alert, or lost device becomes a reportable data breach. The important questions are more specific:
- Which account, computer, mailbox, or cloud service was involved?
- When did the activity begin, and when did you discover it?
- Did the intruder, employee, or missing device have access to client or employee records?
- What records were available there: names, Social Security numbers, bank information, payment-card data, health information, driver's-license numbers, or credentials?
- Is the unauthorized access still active?
Write down what you know, what you do not know yet, and who is checking each question. A simple timeline is better than an inbox full of half-remembered phone calls.
What Wisconsin law says about notice
Wisconsin's breach-notification law, Wis. Stat. § 134.98, applies to many organizations that do business in the state and maintain personal information.
The statute defines personal information narrowly. In general, it is a person's name linked with unencrypted, unredacted information such as a Social Security number, driver's-license or state ID number, financial-account or payment-card information with the means to access it, DNA profile, or certain biometric data.
When the law requires notice, it says an entity must make reasonable efforts to notify the affected people within a reasonable time, no later than 45 days after it learns the information was acquired without authorization. There are exceptions, including some situations where the acquisition does not create a material risk of identity theft or fraud. Healthcare and financial organizations can also be subject to other federal requirements.
That is why this should not turn into an office debate about whether an incident "feels serious." Let your attorney and incident team assess the facts, the data, the applicable laws, and the notice process. The 45-day outside limit is not a reason to wait 44 days.
Days 1 through 7: build one clean incident record
Once the immediate fire is out, keep a single record of the response. It does not need to be fancy. A protected document or case record can cover:
- The date and time the incident was discovered.
- The systems, accounts, and people involved.
- What was done to contain the issue and when.
- What logs, screenshots, emails, or device records were preserved.
- Which outside parties were contacted, including the insurer, legal counsel, bank, payroll provider, or payment processor.
- The working answer to what data may have been accessed.
This record is useful for the investigation, the insurance claim, client communication, and the changes you make afterward. It also keeps the owner from having to reconstruct the story three weeks later from scattered Teams messages.
Bring in the right people early
A small business does not need a huge crisis committee. It does need clear owners.
| Who | What they handle |
|---|---|
| IT provider or security team | Containment, investigation, log preservation, account recovery, and technical remediation. |
| Owner or executive lead | Business decisions, authority, and a single point of contact. |
| Cyber insurer or broker | Policy requirements, breach hotline, approved response resources, and claim handling. |
| Attorney | Applicable notice rules, communications, contracts, and legal obligations. |
| Bank, payroll, or payment provider | Urgent action when accounts, payroll, wires, ACH changes, or payment cards may be involved. |
If a suspected incident involves a compromised Microsoft 365 account, start with the same basics from our Microsoft 365 security checklist: secure the account, revoke active sessions, check forwarding rules, and review sign-ins. Then keep going until you know what the account could reach.
What not to do
- Do not promise clients facts you have not verified. "Nothing was accessed" is a dangerous thing to say before the investigation is complete.
- Do not use the compromised mailbox as the main response channel. Move sensitive coordination to an account or channel your technical team has confirmed is safe.
- Do not handle a wire, payroll, or banking issue by email alone. Call a known number for the bank or provider immediately.
- Do not wait to notify your carrier because you are embarrassed or unsure. Early notice lets you follow the process the policy expects.
- Do not make a public statement before your attorney and insurer have reviewed it. You need facts, not guesses.
Use the incident to close the gap
After containment and any required notification, ask the practical question: what would have stopped this or made it smaller?
For many Milwaukee businesses, the answer is not one expensive security product. It is a few boring controls that were missing or never checked: MFA on every important account, a tested backup, endpoint protection that someone watches, separated admin accounts, patched devices, and a written first-hour plan.
Those are also the controls cyber insurers ask about. Our recent cyber insurance renewal checklist explains how to review them before an application or a claim puts them under a microscope.
Sources and a legal note
- Wisconsin Legislature, Wis. Stat. § 134.98
- CISA, Secure Your Business guidance for small and medium businesses
This article is general operational guidance, not legal advice. Your facts, contracts, insurer, industry, and the people affected can change the obligations. Speak with qualified counsel about any suspected breach or notice requirement.
Powerful IT Systems · Sussex, WI
Master's degree in Computer Science with 15+ years of hands-on IT experience serving Milwaukee-area businesses.
