Incident Response Plan Template for NJ Small and Medium Businesses

By Mauricio Fernandez · Minuswires · Template

Download PDF

A cyberattack, ransomware infection, or accidental data exposure does not announce itself in advance. When it happens — and security professionals are unanimous that it is a matter of when, not if — the difference between a contained incident and an existential business crisis comes down to one thing: whether you had a written plan before the attack started. Most small and medium businesses in New Jersey and New York City do not have one. This template changes that. It covers everything from the legal requirements under the NJ SHIELD Act to the six operational phases of response, the roles your team needs to fill, and the exact communication templates you can adapt and send within the first 24 hours of an incident.

Why Every NJ Business Needs an Incident Response Plan

The New Jersey SHIELD Act, signed into law in 2019 and effective March 1, 2020, expanded the state's data breach notification law and introduced an affirmative obligation: any business that handles personal information of NJ residents must implement and maintain a “reasonable security program.” An incident response plan is a core component of that program. It is not optional, and it is not just for large enterprises.

Beyond legal compliance, the operational case is straightforward. When a breach occurs, your team is under stress, time pressure, and often incomplete information. A plan eliminates decision paralysis. It tells each person exactly what to do, in what order, and who to call. It also protects you legally: documented response actions show regulators and courts that you acted reasonably and promptly, which is the standard the SHIELD Act applies.

The 6 Phases of Incident Response

The following phases are adapted from the NIST Computer Security Incident Handling Guide (SP 800-61) and reflect the standard framework used by professional incident response teams. Adapt the specific steps to your business size and technical environment.

  1. Preparation. This is the only phase that happens before an incident. It includes: writing and distributing this plan, training staff to recognize phishing and social engineering, maintaining an up-to-date asset inventory (every device, account, and system that touches your data), confirming that backups are running and tested, and establishing relationships with your IT vendor, legal counsel, and cyber insurance carrier before you need them under pressure.
  2. Identification. Determine whether an incident is actually occurring. Common triggers include: antivirus or EDR alerts, unusual login activity, employee reports of locked files or strange pop-ups, unexplained network traffic spikes, or customer reports of suspicious communications claiming to be from your business. Document the time of discovery, the source of the alert, and initial observations. Assign an incident number and activate the response team. Do not attempt to fix anything yet — preserve evidence first.
  3. Containment. Stop the spread. Short-term containment might mean isolating an infected machine from the network (disconnect the ethernet cable or disable Wi-Fi — do not power it off, as this can destroy forensic evidence). Disable compromised accounts. Block malicious IP addresses at the firewall. Long-term containment involves patching the exploited vulnerability or switching to a clean backup system while forensics are completed. Document every action taken with timestamps.
  4. Eradication. Remove the root cause entirely. This means: identifying and deleting all malware, closing the attack vector (patch, misconfiguration, or credential reset), scanning all systems for indicators of compromise (IoCs), and confirming the threat is fully removed before moving to recovery. Do not skip this phase. Businesses that rush to recovery without full eradication often get re-infected within days.
  5. Recovery. Restore systems to normal operation in a controlled, monitored sequence. Restore from clean backups where possible. Bring systems back online one at a time, monitoring for any signs of re-infection. Reset all passwords, rotate API keys, and revoke any access tokens that may have been exposed. Verify business functions are operating correctly before declaring the incident resolved. Confirm with your IT vendor that monitoring is active and alert thresholds are set.
  6. Lessons Learned. Within two weeks of resolution, hold a post-incident review meeting. Document what happened, what worked in the response, what did not, and what changes to make before the next incident. Update this plan accordingly. File any required regulatory notifications if not already completed. Share a sanitized summary with relevant staff so organizational learning occurs. This phase is the one most businesses skip — and the one that prevents recurrence.

Key Roles and Responsibilities

For small businesses, one person may fill multiple roles. What matters is that each function is assigned to a named individual before an incident occurs, along with a backup in case the primary is unavailable. Enter actual names and direct contact information in your working copy of this plan.

  • Incident Commander. Owns the overall response. Makes containment and escalation decisions. Authorizes external communications. Calls the all-clear. For most SMBs in NJ, this is the business owner or operations manager.
  • Technical Lead. Executes the technical containment and eradication steps. Your IT vendor or managed services provider typically fills this role. Confirm in advance that your vendor has incident response capabilities and a defined SLA for emergency response.
  • Communications Lead. Drafts and sends internal staff updates, customer notifications, and media statements if required. Works from the templates in this plan. Ensures no unauthorized communications go out — a single panicked employee tweet can complicate a legal response significantly.
  • Legal / Compliance Contact. Advises on notification obligations under the NJ SHIELD Act, HIPAA (if applicable), PCI DSS (if you process credit cards), or other applicable frameworks. Reviews all external communications before they are sent. For most NJ small businesses, this is outside counsel engaged on retainer or called at the time of the incident. Have the number ready now.
  • HR / Management Liaison. If the incident involves insider threat, employee credentials, or a terminated employee, HR must be involved from the start. Also manages employee communications and ensures staff are briefed appropriately.

Escalation Procedures and Vendor Contact List

Print this section and store it physically — if your systems are locked by ransomware, you may not be able to access a digital copy. Update contact information quarterly.

  • IT Vendor / MSP Emergency Line: [Name] — [Phone] — [Email] — [SLA: response within X hours]
  • Cyber Insurance Carrier: [Carrier name] — [Policy number] — [24/7 claims line]
  • Legal Counsel (Data Privacy): [Firm / Attorney] — [Phone] — [Email]
  • NJ Attorney General (breach reports): njconsumeraffairs.gov — (973) 504-6200
  • FBI Cyber Division (ransomware / significant breaches): ic3.gov — local NJ field office: (973) 792-3000
  • Domain Registrar Emergency Contact: [Registrar] — [Account #] — [Emergency line]
  • Cloud / Hosting Provider: [Provider] — [Account #] — [Support URL]
  • Payment Processor (if card data involved): [Provider] — [Merchant ID] — [Fraud hotline]
  • Web / App Vendor (Minuswires): support@minuswires.com — (201) 389-7937

Escalation thresholds: Notify the Incident Commander immediately upon any confirmed unauthorized access. Engage legal counsel within 2 hours of a confirmed breach involving personal information. Contact your cyber insurance carrier within 24 hours — most policies require prompt notification, and delay can affect coverage. Notify the NJ Attorney General as required by the SHIELD Act, typically within 30–60 days of confirmed breach discovery.

Communication Templates

Adapt these templates before an incident occurs. Have your legal counsel review customer and regulatory communications before they are sent. Do not improvise external messaging during an active incident.

Internal Staff Notice (send within 1–2 hours of confirmed incident):

Subject: Security Incident — Action Required

Team,

We are currently responding to a security incident affecting [describe scope briefly]. The incident response team has been activated. Until further notice, please do not [share passwords / access X system / discuss this externally]. If you notice anything unusual on your device or accounts, contact [Technical Lead name and phone] immediately. Do not attempt to investigate or fix anything on your own. We will provide an update by [time].

— [Incident Commander name]

Customer Notification (send only after legal review, once breach is confirmed):

Subject: Important Notice Regarding Your Account

Dear [Name],

We are writing to inform you of a security incident that may have affected your personal information. On [date], we discovered [brief description of what happened]. The information potentially involved includes [categories of data]. We took the following immediate steps: [containment actions].

We recommend you [monitor your accounts / change your password / place a fraud alert]. If you have questions, contact us at [email / phone]. We are sorry this occurred and are committed to protecting your information going forward.

— [Business name and signature]

Business Impact Assessment and Post-Incident Review

During the identification phase, begin a parallel business impact assessment: which systems are unavailable, which business functions are affected, what is the estimated hourly cost of downtime, and how long can the business operate in degraded mode before the impact becomes critical. This assessment determines whether to invoke your disaster recovery plan alongside the incident response plan.

  • Recovery Time Objective (RTO): The maximum acceptable time a system can be down. Define this per system before an incident (e.g., e-commerce site: 4 hours; internal email: 24 hours).
  • Recovery Point Objective (RPO): The maximum acceptable data loss. If your last backup was 24 hours ago, your RPO is 24 hours. Most NJ businesses should target RPOs of 4–8 hours for critical data.
  • Backup verification: Confirm at least monthly that backups are completing successfully and that restoration actually works. Backups that have never been tested are not backups.

The post-incident review should answer seven questions: (1) What happened and when? (2) How was it detected? (3) How did the attacker gain access? (4) What data was accessed or exfiltrated? (5) What containment steps were taken and were they effective? (6) What would we do differently? (7) What changes to systems, training, or this plan are needed? Document the answers and file them with this plan. Update the plan before closing the incident record.

One-Page Quick Reference Card

Print this section and post it near your server room, IT workstation, or in each department manager's office. It covers the first 60 minutes of an incident when time pressure is highest.

Incident Response — First 60 Minutes

  1. Detect & report: Any employee who suspects an incident calls [Incident Commander phone] immediately. Do not email — use phone.
  2. Do not power off affected machines — disconnect from network instead (pull cable, disable Wi-Fi).
  3. Preserve evidence: Take screenshots, photograph screens, note timestamps. Do not attempt to fix or delete anything.
  4. Call IT vendor: [Phone number] — report what you see, not what you assume. Let them diagnose.
  5. Activate response team: Incident Commander notifies Technical Lead, Communications Lead, and Legal contact within 30 minutes of confirmed incident.
  6. Lock down accounts: Reset passwords for affected accounts immediately. Revoke suspicious sessions from admin panels.
  7. Start the log: Open the incident log template. Every action gets a timestamp and the name of who took it.
  8. No external communications until Communications Lead and Legal have reviewed and approved.
  9. Cyber insurance: Call [carrier] at [phone] within 24 hours. Policy number: [number].
  10. Brief staff using internal notice template. Tell them what not to do, not just what happened.

Minuswires works with small and medium businesses across New Jersey and New York City — from Sussex County to Hudson County, from Morris County to Manhattan — to build websites and applications with security and uptime built in from the start. If your business has been through an incident, or if you want to ensure your website, hosting, and backup configuration are ready before one occurs, our team can walk through your setup and identify gaps before they become problems.

Need help with your website?

Minuswires builds secure, managed websites for NJ and NYC businesses — with automated backups, uptime monitoring, and hosting configurations designed to minimize incident risk and recovery time. If you want a free review of your current setup, or help getting your website's security posture ready for the NJ SHIELD Act, book a free consultation and we'll look at it together.

Get a free consultation