Incident documentation: what to record if something goes wrong

Updated 2026-04-11 · Practical guide for NZ small businesses

Short answer: After a privacy or security incident, record timeline, systems affected, data classes involved, actions taken, and follow-ups—contemporaneous notes beat memory under stress.

Good documentation supports regulators, insurers, and your own learning.

Start simple: an incident log row

Detected when / how
Contained when
Notified whom (internal, host, counsel, individuals)
Root cause category (credential leak, plugin, phishing, etc.)

Evidence handling

Preserve logs carefully; avoid tipping attackers by noisy mass password resets before containment if guidance says otherwise—sequence matters.

Post-incident improvements

Track remediation tickets: MFA gaps closed, backup test passed, monitoring alert added. Close the loop so the same hole does not reopen.

Frequently asked questions

How long to keep incident notes?

Follow legal and insurance guidance; often longer than ordinary operational logs.

Should customers know about every small phishing attempt?

Not necessarily—assess impact and get advice; transparency is important when personal data is at risk.