PanicStation.org
UK USA
us Work & employment crises being investigated for data breach • accused of data breach at work • internal investigation data leak • security incident investigation meeting • hr investigation cyber incident • asked to attend investigatory interview • under investigation for breach • alleged policy violation data • suspected data exfiltration • emailed sensitive data mistake • shared confidential file link • dlp alert investigation • company says i caused breach • asked to surrender work laptop • asked for passwords investigation • union rep investigatory interview • weingarten rights request • discipline risk investigation • compliance investigation privacy

What to do if…
you are told you are being investigated for a data breach

Short answer

Preserve evidence and slow the conversation down: don’t delete or “fix” anything, and don’t guess. Ask for the allegation and process in writing, and if you’re union-represented, request your union rep for any investigatory interview that could lead to discipline.

Do not do these things

  • Do not delete or alter emails, chats, files, tickets, logs, or device settings — even if you think it helps.
  • Do not “dig through systems” you don’t normally use to prove your case; it can look like interference.
  • Do not move work data to personal email/cloud or forward “just in case”.
  • Do not coordinate stories with coworkers or post about it (including “vague” social posts).
  • Do not sign statements, settlement papers, or “last chance” agreements on the spot.
  • Do not resign impulsively to escape the stress; it can complicate your options.

What to do now

  1. Go into evidence-preservation mode immediately. Stop making non-essential changes. Don’t uninstall tools, clear histories, or “tidy up”. If you were doing something relevant when notified, write down the time and what you were doing.
  2. Get the allegation and the process clarified in writing. Ask: what you’re accused of, what data/systems, the time window, and what meeting this is (fact-finding interview vs disciplinary meeting). Ask who will attend and whether you’ll receive any documents in advance.
  3. If you’re union-represented (and covered by the NLRA): invoke Weingarten rights clearly. If you reasonably believe the interview could lead to discipline, say: “I request union representation.” Then stop the interview and wait for their response. The employer will typically either (a) pause and allow a representative, (b) end the interview, or (c) offer you a choice to continue without representation or not continue. If you do not want to proceed without representation, calmly say you are choosing not to answer questions without your representative present and ask that your request is noted.
  4. If you’re not union-represented: ask to slow it down anyway. You can ask to reschedule so you can review the allegations and consult an attorney. You can also ask whether a support person (for example, a coworker witness) is allowed by company policy — but the employer may say no.
  5. Create a private, factual timeline. Write down (for yourself): what you did, what you were asked to do, approvals you had, relevant tickets/emails, and what you don’t know. Keep it factual; avoid theories.
  6. Collect only materials you’re permitted to keep. Save meeting notices, your job description, security policies/training acknowledgements, and any written instructions you received. Do not copy/export sensitive data to build your defense.
  7. Use the designated internal channel for incident facts (and keep it narrow). If you have relevant facts that a breach may have occurred, report them through your company’s incident/security/compliance process. Stick to facts and avoid wide distribution.
  8. If asked to hand over devices, credentials, or access: ask for the request in writing, what policy it’s under, and what the scope is. Don’t obstruct — but do not volunteer extra access “to be helpful” without clear instructions.
  9. If the stakes look serious (termination, law enforcement contact, licensing risk): consult an employment attorney quickly. Keep communications brief and factual until you’ve gotten advice.

What can wait

  • You do not need to decide today whether to resign, threaten legal action, or make a public statement.
  • You do not need to produce a full narrative immediately — it’s normal not to know everything at first.
  • You do not need to “fix the company’s breach response” yourself unless that is your assigned role and you’ve been instructed to act.
  • You do not need to contact customers, regulators, or the media personally (and doing so can escalate risk).

Important reassurance

Many companies automatically investigate after a suspected security event, and being investigated is not proof of wrongdoing. The safest approach is calm cooperation with firm boundaries: preserve evidence, be factual, and get support before you speak at length.

Scope note

This guide covers first steps in the first hours/days after you’re told you’re being investigated. Workplace investigations and representation rights can vary by state, contract, and union status, so getting case-specific advice early can matter.

Important note

This is general information, not legal advice. Policies, timelines, and rights vary widely across employers and states. If you are unsure, avoid irreversible actions, document everything you can appropriately, and seek qualified advice.

Additional Resources
Support us