Lost laptop or phone: what do you do in the first two hours?

Lost a laptop or phone? What you do in the first two hours determines whether it stays an annoying inconvenience or turns into a reportable data breach. A practical checklist for SMBs without an IT department.

Your laptop is gone. Or your phone. Maybe someone nicked it from the car, maybe it's still sitting on that train to Utrecht. What you do in the next two hours determines whether this stays an annoying incident or becomes a data breach with a mandatory reporting obligation.

Most small businesses have no procedure for this. That's a shame, because it happens more often than you'd think — and you really don't need an IT department to handle it properly. In this post we walk through a practical checklist you can print out today and keep in a drawer.

Why the first two hours matter

A stolen device is, in itself, mainly an insurance matter. It only becomes a real problem if someone uses it to gain access to your email, your accounts, your client database, or your cloud storage. The faster you disconnect accounts and revoke active sessions, the less chance anyone has of doing anything useful with the device.

Realistically, most thieves are after the hardware, not your spreadsheets. But you don't know that for certain — and GDPR requires you to demonstrate that you've taken appropriate measures. "We're hoping it'll be fine" is not a measure.

The checklist: what to do and in what order

Step 1 — Report it internally straight away (within 15 minutes)

Agree in advance who lost or stolen devices should be reported to. In most SMBs that's the office manager or the owner. One central point of contact prevents three people simultaneously trying to lock things down — or nobody doing anything because everyone assumes someone else is handling it.

Step 2 — Revoke all active sessions (within 30 minutes)

This is the most important step, and it's usually the one that gets skipped. Changing a password is not enough — existing logged-in sessions keep working regardless. In Microsoft 365 and Google Workspace you can force all active sessions for a user to sign out ("sign out everywhere"). Do this for:

• Microsoft 365 / Entra ID (or Google Workspace)
• The password manager
• The accounting software
• Any other cloud tools the employee was logged into

Step 3 — Reset the password and reconsider the 2FA device

Reset the main password for the Microsoft or Google account. Was the 2FA app also on the stolen device? Then you'll need to set up 2FA again on a different device, otherwise the employee will lock themselves out.

Step 4 — Remotely wipe the device (if possible)

On a laptop with BitLocker or FileVault, the data is encrypted as long as nobody knows the password. On a phone, you can wipe it remotely via "Find My iPhone" or "Find My Device." Do this only after you've revoked the sessions — otherwise you've wiped the device before you've closed off what was running on it.

Step 5 — Document what happened

Write it down: when did the device go missing, when was it reported, what actions did you take and at what time. This isn't paperwork for show. If it turns out that sensitive personal data was stored on the device and you need to file a report with the Data Protection Authority, you'll need this timeline.

Step 6 — Assess whether it constitutes a data breach

Was there unencrypted customer data on the device? Access to a mailbox containing personal data? If so, it may be a data breach that must be reported within 72 hours. If in doubt: call your GDPR contact or a legal adviser. Failing to report when you should have is more costly than reporting unnecessarily.

Step 7 — File a police report and notify your insurer

If it was theft: file a police report. Your insurer will require it, and it can help if the device turns up later. Keep the report reference number with your incident documentation.

Preparation: what to sort out now, not later

The checklist above only works if the underlying technology is set up correctly. A few things you need to have in place before an incident occurs:

• Disk encryption enabled on all laptops (BitLocker on Windows, FileVault on Mac). This is far from switched on by default.
• Screen lock with a PIN or biometrics on phones, activating automatically after 1–2 minutes of inactivity.
• 2FA via an app or hardware key, not via SMS. SMS is less secure and, on top of that, useless if the phone is gone.
• An up-to-date device inventory per employee. Who has which laptop and phone? Without that overview you don't even know what needs to be wiped.
• "Find My" enabled on all phones and laptops where supported.

The role of the password manager

If an employee had their passwords saved in the browser and the laptop isn't encrypted, all those passwords are compromised. That's a lot of work to clean up. With a good password manager, everything sits behind one master password plus 2FA — and that master password isn't stored on the device itself. In an incident, that can save you days of work.

Do a practice run

Print out the checklist, stick it on the inside of a cupboard door, and run a dry drill once a year: "suppose Sarah's laptop is gone — who does what?" You'll quickly find there are a few gaps in your preparation. Better to discover that now than on a Friday afternoon at half past four.

Need help?

We regularly help SMBs set up a straightforward incident procedure, enable 2FA, and configure access management so you can act quickly when something like this happens. Take a look at our 2FA implementation service, or have an access check carried out to see where you stand right now.