The First Hour Matters
When a laptop or phone goes missing, speed matters:
- **Remote wipe** only works while the device is powered on and connected
- **Password changes** prevent access through synced credentials
- **Documentation** needs to be fresh while details are remembered
This guide provides a clear, step-by-step response plan you can follow immediately.
Immediate Response Checklist (First 60 Minutes)
Step 1: Confirm the Loss (5 Minutes)
Before initiating incident response:
- [ ] Have they checked obvious places? (Car, meeting room, at home)
- [ ] When was it last seen?
- [ ] Is it definitely lost/stolen vs misplaced?
If uncertain after 15-30 minutes of searching, **proceed with incident response**. Better to over-react than under-react.
Step 2: Initiate Remote Actions (10 Minutes)
**Remote lock/locate:**
- [ ] Try to locate device (Intune, Find My, Find My Device)
- [ ] If location found: Assess if recoverable vs stolen
- [ ] Remote lock immediately (even if you think you'll find it)
**Remote wipe (if theft suspected or sensitive data present):**
- [ ] Initiate remote wipe command
- [ ] Note that wipe will execute when device comes online
| Platform | How to Wipe |
|----------|-------------|
| Windows (Intune) | endpoint.microsoft.com → Devices → [Device] → Wipe |
| Windows (Azure AD) | portal.azure.com → Devices → [Device] → Delete (disables) |
| Mac (Find My) | icloud.com/find → Select device → Erase |
| Mac (Jamf/MDM) | MDM console → Device → Wipe |
| iPhone (Find My) | icloud.com/find → Select device → Erase |
| Android (Google) | google.com/android/find → Select device → Erase |
Step 3: Revoke Access (15 Minutes)
**Change passwords for accounts accessed from the device:**
- [ ] Microsoft 365 / Google Workspace account password
- [ ] VPN access (if applicable)
- [ ] Any systems with saved credentials
- [ ] CRM, accounting software, other business applications
- [ ] Personal accounts if used on device (banking apps, social media)
**Revoke sessions:**
- [ ] Microsoft 365: Force sign-out from all devices (admin centre)
- [ ] Google Workspace: Sign out all sessions (admin console)
- [ ] Other critical apps: End active sessions where possible
Step 4: Document the Incident (15 Minutes)
While details are fresh, record:
| Information | Details |
|-------------|--------|
| Device make/model | |
| Serial number | |
| Asset tag (if used) | |
| Date and time last seen | |
| Location last seen | |
| Circumstances of loss | |
| Data on device | |
| Encryption status | |
| Who reported it | |
| Actions taken and times | |
Step 5: Notify Relevant People (15 Minutes)
- [ ] IT support/administrator
- [ ] Manager of affected employee
- [ ] Senior management (if significant data risk)
- [ ] Data protection lead (if you have one)
After the First Hour
Police Report (If Theft)
If the device was stolen:
1. Report to police (101 or online)
2. Obtain crime reference number
3. This may be required for:
- Insurance claims
- ICO breach reporting
- Internal records
Insurance Notification
If you have:
- Equipment insurance
- Cyber insurance
- Business insurance with device coverage
Notify them promptly. Some policies have time limits for reporting.
Data Breach Assessment
Under UK GDPR, you have **72 hours** to report certain breaches to the ICO.
**Assess the risk:**
| Factor | Lower Risk | Higher Risk |
|--------|-----------|------------|
| Encryption | Device encrypted with strong password | Unencrypted or weak password |
| Data type | Business files only | Customer personal data, financial data |
| Data volume | Minimal | Significant database/records |
| Remote wipe | Successfully wiped | Wipe failed or unknown |
| Access evidence | No evidence of access | Signs of unauthorized access |
**If lower risk (encrypted, no evidence of access)**:
- Document your assessment
- Record why you believe data is protected
- ICO notification may not be required (but document decision)
**If higher risk (unencrypted or sensitive data)**:
- Likely requires ICO notification within 72 hours
- May require notification to affected individuals
- Seek legal/professional advice if uncertain
ICO Breach Notification
If reporting is required:
1. Go to [ico.org.uk/for-organisations/report-a-breach](https://ico.org.uk/for-organisations/report-a-breach/)
2. Use the online form
3. You can update the report as you learn more
4. 72 hours is from when you became aware, not when the device went missing
Role Assignments
Assign clear responsibilities **before** an incident occurs:
| Role | Responsibilities | Who |
|------|------------------|-----|
| **Incident Lead** | Coordinates response, makes decisions | [Name] |
| **Technical Lead** | Remote wipe, password changes, access revocation | [Name] |
| **Documentation** | Records timeline, actions, evidence | [Name] |
| **Communications** | Internal updates, external notifications if needed | [Name] |
| **Backup Lead** | If primary contacts unavailable | [Name] |
For small businesses, one person may fill multiple roles—that's fine. Just ensure someone is assigned.
Timeline Summary
| Time | Action |
|------|--------|
| **0-5 min** | Confirm loss, gather basic info |
| **5-15 min** | Remote locate/lock/wipe |
| **15-30 min** | Change passwords, revoke sessions |
| **30-60 min** | Document incident, notify stakeholders |
| **1-4 hours** | Police report (if theft) |
| **24 hours** | Complete breach assessment |
| **72 hours** | ICO notification (if required) |
| **Ongoing** | Monitor for suspicious activity, insurance claims |
Prevention Checklist
Minimise impact of future incidents:
**Technical Controls:**
- [ ] Full-disk encryption on all laptops
- [ ] Strong device passwords required
- [ ] Auto-lock after short timeout
- [ ] Remote wipe capability enabled
- [ ] Regular backups (data not lost with device)
- [ ] Cloud storage vs local storage (less on device = less risk)
**Physical Controls:**
- [ ] Staff trained on device security
- [ ] Clear policy on transporting devices
- [ ] Cable locks for high-risk environments
- [ ] Asset tracking/inventory maintained
**Administrative Controls:**
- [ ] This incident plan documented and accessible
- [ ] Roles assigned before incident
- [ ] Annual review/drill of procedure
- [ ] Insurance coverage reviewed
One-Page Quick Reference
Print and keep accessible:
---
LOST/STOLEN DEVICE RESPONSE
**STEP 1: Confirm loss** (5 min)
- Last seen when/where?
- Definitely lost (not misplaced)?
**STEP 2: Remote actions** (10 min)
- [ ] Locate device: ____________
- [ ] Lock device: ____________
- [ ] Wipe device: ____________
**STEP 3: Revoke access** (15 min)
- [ ] Email password changed
- [ ] VPN disabled
- [ ] Sessions revoked
- [ ] Other passwords: ____________
**STEP 4: Document** (15 min)
- Device: ____________
- Serial: ____________
- Last seen: ____________
- Data on device: ____________
- Encrypted: Y / N
- Actions taken: ____________
**STEP 5: Notify** (15 min)
- [ ] IT Lead: [Name/Phone]
- [ ] Management: [Name/Phone]
- [ ] Police (if theft): 101
- [ ] Insurance: [Number]
**WITHIN 24 HOURS:**
- [ ] Breach assessment complete
- [ ] ICO notification decision made
- [ ] Crime reference number (if police report)
**ICO Breach Report:** ico.org.uk/for-organisations/report-a-breach
---
Authority Resources
- **ICO Breach Reporting**: [ico.org.uk/for-organisations/report-a-breach](https://ico.org.uk/for-organisations/report-a-breach/) - Online reporting form and guidance
- **ICO Self-Assessment Tool**: [ico.org.uk/for-organisations/report-a-breach/personal-data-breach-assessment](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach-assessment/) - Help decide if reporting needed
- **NCSC Incident Management**: [ncsc.gov.uk/collection/incident-management](https://www.ncsc.gov.uk/collection/incident-management) - Broader incident response guidance
- **Action Fraud**: [actionfraud.police.uk](https://www.actionfraud.police.uk/) - Report cybercrime and fraud
Testing Your Plan
An untested plan may fail when needed. Test annually:
1. **Tabletop exercise**: Walk through the scenario verbally
2. **Technical test**: Can you actually remote wipe a test device?
3. **Contact test**: Are emergency contacts current?
4. **Documentation review**: Is the procedure still accurate?
After the Incident
**Within One Week:**
- Complete incident report
- Review what worked, what didn't
- Update procedure if needed
- Replace device/equipment
**Lessons Learned:**
- Could this have been prevented?
- Was response fast enough?
- Were the right people notified?
- Any gaps in our preparation?
Document answers and improve for next time.