Back to Blog
Security12 December 2025

How to Respond to a Suspected Document Leak in Under 24 Hours

The first 24 hours after a leak are critical. Here's the step-by-step playbook your team should run — starting with what NOT to do.

Your client, colleague, or compliance officer has just told you a sensitive document has leaked. What you do in the next 24 hours will determine whether this becomes a manageable incident or a career-ending news story. Here's the playbook.

The first 15 minutes: contain, don't panic

Your first instinct will be to delete access, email everyone involved, and start investigating. Slow down. In the first 15 minutes, do exactly three things:

  1. Note the time. You'll need this for the audit trail and for any notification timelines.
  2. Preserve evidence. Do NOT delete logs, emails, or access records. If you have a data room, take an immediate snapshot of the audit trail for the affected documents.
  3. Restrict further access. Revoke the relevant access link or permissions, but don't delete the underlying records.

The first hour: triage

Once the bleeding is stopped, work out the scope. Who is affected? What information was exposed? How did it get out? Is the source known? Is it still leaking?

Pull the audit trail for every affected document. Look for anomalies — views from unexpected IPs, unusual download patterns, access outside business hours. Document everything you find.

The first four hours: notify your decision-makers

Your firm principal, partner, or CEO needs to know. So does your insurance contact if you have cyber cover. So does your external lawyer if this is potentially negligent. Do NOT notify the affected parties yet — you need a plan first.

The first 12 hours: assess notification obligations

Under the Notifiable Data Breaches scheme, if the leak is "likely to result in serious harm" to the affected individuals, you have an obligation to notify them and the OAIC. The 30-day clock starts when you become aware of the breach. That sounds like plenty of time; in practice, lawyers and insurers will chew through most of it.

The first 24 hours: the hard conversation

Once your lawyers have signed off, start the client notification process. Be direct. "We identified a breach at [time]. Affected: [scope]. We've taken these containment steps. We're notifying the OAIC. Here's what we're doing to support you." Don't over-apologise and don't speculate about causes — both get used against you later.

What not to do

Don't try to cover it up. Don't email the affected parties before you have a legal strategy. Don't publicly comment before you have the facts. Don't delete your access logs "to protect the evidence" — you'll destroy your ability to investigate.

And if you don't have a tamper-evident audit trail right now, that's the first thing you should put in place before this ever happens.