This presentation presents breach management having two requirements, controlled and uncontrolled. Today, the CSIRP is a mythological beast. Theses two requirements of breach management are the reasons for the myth. The missing first step was found as evidenced by participating in audits and jobs. Why planning for the breach is necessary. Key people, identified by name in contract or law, are to be the principle agents of notification. Identifying responsible parties for both of the two requirements is one problem. Find out the other problems.