PanicStation.org
UK USA
uk Work & employment crises being investigated for data breach • accused of data breach at work • work investigation data leak • disciplinary investigation breach • investigatory meeting data breach • suspected security incident employee • alleged gdpr breach at work • told i caused a breach • internal investigation it incident • hr investigation data breach • asked to attend investigation meeting • employer says breach is my fault • under investigation cyber incident • security policy violation allegation • data loss prevention alert • laptop lost data breach investigation • emailed data to wrong person • shared link data exposure • logged into system improperly

What to do if…
you are told you are being investigated for a data breach

Short answer

Pause and protect evidence: do not delete, edit, “tidy up”, or investigate on your own. Get the allegation and meeting details in writing, and arrange support (union rep/companion) before any disciplinary hearing.

Do not do these things

  • Do not delete emails, messages, files, browser history, logs, tickets, or “clean up” anything — even if you think it helps.
  • Do not contact colleagues to “compare notes” or coordinate an explanation.
  • Do not use personal accounts (Gmail/WhatsApp/personal cloud) to move work information “for safekeeping”.
  • Do not run unauthorised checks in systems “to prove your innocence” — it can look like interference or create more audit entries.
  • Do not speculate, guess, or fill silences in interviews. It’s OK to say you need to check or you don’t know.
  • Do not resign in the heat of the moment or sign anything “to get it over with” without advice.

What to do now

  1. Stop changes and preserve the state of things. Put yourself in “hands off” mode: no deleting, renaming, moving files, or reconfiguring devices. If you’re mid-task, stop and note the time and what you were doing.
  2. Ask for the basics in writing (today). Reply calmly: ask what you are being investigated for, the date range, what systems/data are involved, and whether this is an investigation meeting or a disciplinary hearing. Ask who will run it and what documents they will rely on (policies, evidence bundle).
  3. Secure representation/support early.
    • If you’re in a union, contact your rep immediately and ask them to attend.
    • If it’s a disciplinary hearing, you can ask to be accompanied by a trade union representative or a work colleague. Make the request in writing.
    • If it’s an investigation meeting, there is generally no legal right to be accompanied, but you can still ask your employer to allow one as support.
  4. Write a private, factual timeline while it’s fresh. In your own notes (not on a work-wide channel), record: dates/times, what you did, who asked you to do it, tickets/requests you followed, approvals you had, and any uncertainty. Keep it factual (no theories).
  5. Gather only your own legitimate records (don’t “pull data”). Save/print (where permitted by policy) things like: your meeting invite/notice, your job description, relevant policies/training confirmations, change requests/tickets you were assigned, and any written instructions you received. Do not access systems you wouldn’t normally access.
  6. Use the correct internal reporting route (and keep it narrow). If you have information that a breach may have occurred, report it to the designated internal function exactly as policy requires (for example your incident response contact, security team, or your data protection lead/DPO if you have one). Keep details factual and avoid broadcasting.
  7. If asked to hand over a work device or provide access, slow it down to a documented process. Ask for the request in writing and what will happen next (who will take the device, what checks they will run, and how any personal information on the device will be handled). Don’t obstruct — just keep it documented and within policy.
  8. If you feel overwhelmed, ask for a short postponement to get support. A simple line: “I want to cooperate fully; I need a short delay to arrange representation and review the information.”

What can wait

  • You do not need to decide today whether to resign, file a grievance, make a formal complaint, or “go public”.
  • You do not need to produce a perfect explanation immediately — your job right now is to preserve evidence and respond carefully.
  • You do not need to contact regulators or affected individuals yourself (and doing so can create risk for you and the organisation).
  • You do not need to accept blame or agree to outcomes before you’ve seen the allegation and had support.

Important reassurance

Investigations can be routine after a security incident and do not automatically mean you’ve done something wrong. Feeling panicky, defensive, or ashamed is common — the safest move is to slow down, preserve evidence, and keep everything factual.

Scope note

This is first-steps guidance for the first hours/days after you’re told you’re being investigated. Employment and data protection situations can become case-specific quickly; getting representation/advice early can prevent avoidable mistakes.

Important note

This guide is general information, not legal advice. Policies and rights can depend on your employment status, contract, and whether the meeting is investigatory or disciplinary. If you’re unsure, use cautious language and get support before making irreversible decisions.

Additional Resources
Support us