Incident Response
Declare production incidents with correct regulatory notification clocks for GDPR, PCI-DSS, HIPAA, and related frameworks instead of guessing deadlines under stress.
Overview
Incident Response is an agent skill most often used in Operate (also Ship) that applies regulatory breach notification deadlines from declaration time for GDPR, PCI-DSS, HIPAA, and comparable frameworks.
Install
npx skills add https://github.com/alirezarezvani/claude-skills --skill incident-responseWhat is this skill?
- Notification clock starts at incident declaration, not when investigation finishes
- Reference deadlines for GDPR supervisory authority (72 hours), PCI-DSS card brands (24 hours), and HIPAA HHS/OCR paths (
- Operational rule: assume the most restrictive deadline when scope is unclear, then document assumption resolution in the
- Maps jurisdictions, recipients, and penalty exposure for non-compliance in a single summary table
- Supports documenting breach scope evolution from first response window through confirmed facts
- GDPR supervisory authority notification: 72 hours after discovery
- PCI-DSS cardholder data breach: 24 hours after confirmation to acquirer and card brands
- HIPAA large PHI breach to HHS: 60 calendar days after discovery
Adoption & trust: 557 installs on skills.sh; 17.5k GitHub stars; 2/3 security scanners passed (skills.sh audits).
What problem does it solve?
An incident is live and you do not know which regulator, bank, or authority must be notified—or whether the countdown already started at declaration.
Who is it for?
SaaS or commerce solos handling EU personal data, card payments, or US health data who need deadline literacy in the first response hour.
Skip if: Purely internal bug fixes with no personal or regulated data, or organizations that already have counsel-owned playbooks and should not rely on agent summaries alone.
When should I use this skill?
A security incident may involve personal data, cardholder data, or PHI and you need regulatory notification deadlines counted from declaration or discovery.
What do I get? / Deliverables
You align the incident record and first actions to the correct notification window, recipients, and documented scope assumptions before scope is fully confirmed.
- Incident timeline aligned to applicable notification deadlines and recipients
- Documented scope assumptions and resolution notes for the incident record
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Operate is where live breaches and outages trigger legal clocks—this skill anchors response at incident declaration time. Errors covers incident handling and breach response workflows, including who must be notified and by when.
Where it fits
Database exposure suspected—start GDPR 72-hour supervisory authority clock at declaration with scope assumptions logged.
Alert confirms cardholder data access—trigger PCI 24-hour acquirer and card brand notification path.
Pre-launch, embed deadline table into incident runbook for the data types you will process.
After adding EU users, rehearse DPA notification wording tied to the 72-hour window.
How it compares
Use for regulatory notification timing tables at declaration—not for generic on-call paging or application error triage without compliance exposure.
Common Questions / FAQ
Who is incident-response for?
Founders and small teams operating SaaS, APIs, or stores that may trigger GDPR, PCI-DSS, or HIPAA notification duties during a security incident.
When should I use incident-response?
In operate when declaring a suspected breach; during ship security prep to embed notification rules in launch checklists; whenever discovery time starts clocks to DPAs, card brands, or HHS rather than post-investigation.
Is incident-response safe to install?
Treat outputs as operational reference, not legal advice—review the Security Audits panel on this Prism page and validate deadlines with qualified counsel for your jurisdiction.
SKILL.md
READMESKILL.md - Incident Response
# Regulatory Notification Deadlines Reference table for incident notification deadlines under major regulatory frameworks. The notification clock starts at the moment an incident is declared, not at investigation completion. **Operational rule:** If the scope of a breach is unclear at declaration time, assume the most restrictive applicable deadline and confirm scope within the first response window. Document the assumption and its resolution in the incident record. --- ## Deadline Summary Table | Framework | Jurisdiction | Incident Type | Notification Deadline | Recipient | Penalty for Non-Compliance | |-----------|-------------|--------------|----------------------|-----------|---------------------------| | GDPR (EU 2016/679) | EU/EEA | Personal data breach | 72 hours after discovery | Supervisory Authority (DPA) | Up to 4% of global annual turnover or €20M | | GDPR (EU 2016/679) | EU/EEA | Personal data breach affecting individual rights/freedoms | Without undue delay | Affected data subjects | Up to 4% of global annual turnover | | PCI-DSS v4.0 | Global (card brands) | Cardholder data breach | 24 hours after confirmation | Acquiring bank and card brands | Fines per card brand schedule; potential card processing suspension | | HIPAA (45 CFR §164.408) | United States | PHI breach (>500 individuals) | 60 calendar days after discovery | HHS Office for Civil Rights | $100–$50,000 per violation; up to $1.9M per violation category per year | | HIPAA (45 CFR §164.406) | United States | PHI breach (>500 individuals in a state) | 60 days after discovery | Prominent media outlets in affected state | Same as above | | HIPAA Small Breach | United States | PHI breach (<500 individuals) | Within 60 days of end of calendar year in which breach occurred | HHS (annual report) | Same as above | | NY DFS 23 NYCRR 500.17 | New York State | Cybersecurity event affecting NY-regulated entity | 72 hours | NY DFS Superintendent | Regulatory sanctions, fines, license revocation | | SEC Cybersecurity Rule (17 CFR §229.106) | United States (public companies) | Material cybersecurity incident | 4 business days after materiality determination | SEC Form 8-K filing (public disclosure) | SEC enforcement action; restatement risk | | CCPA / CPRA | California, United States | Breach of sensitive personal information | Without unreasonable delay | CA Attorney General (if >500 CA residents affected) | Civil penalties up to $7,500 per intentional violation | | NIS2 (EU 2022/2555) | EU/EEA (essential/important entities) | Significant incident | 24-hour early warning; 72-hour full notification | National CSIRT or competent authority | Up to €10M or 2% of global turnover | | DORA (EU 2022/2554) | EU/EEA (financial sector) | Major ICT-related incident | Initial notification: 4 hours; intermediate: 72 hours; final: 1 month | Financial supervisory authority | National authority sanctions | | SOX (for material incidents) | United States (public companies) | Financial system compromise creating material weakness | Immediate disclosure required | SEC, audit committee, auditors | Enforcement action; officer certification liability | | Australia Privacy Act | Australia | Eligible data breach (serious harm likely) | 30 days after awareness | OAIC (Office of the Australian Information Commissioner) | Up to AUD 50M per serious contravention | | PIPL (China) | China | Personal information breach | Immediately; notify individuals without delay | National Internet Information Office (CAC) | Up to ¥50M or 5% of prior year revenue | --- ## GDPR — Detailed Requirements ### Article 33 — Notification to Supervisory Authority **When:** Any personal data breach where there is a risk to the rights and freedoms of individuals. **Exception:** No notification required if the breach is unlikely to result in risk (e.g., the data was encrypted with a key that was not compromised, and the key cannot be recovered). **What to include:** 1. Nature of the breach, including categories a