IR communication plan covers: internal (executive, IT, legal), regulatory notification (GDPR 72hrs, HIPAA 60 days), customer notification, media response, and law enforcement (if criminal).
IR communication is often the most legally complex aspect. Legal counsel should approve all external communications. Avoid speculating about breach scope in early communications — update as investigation progresses. Document all communication with timestamps.