How to Notify Data Breach Victims

It is not a question of if your company will experience a data breach but rather a matter of when, according to a Forrester report. Just as troubling is that data breaches can erode customers’ confidence in companies, which can result in lost business. A study sponsored by Experian reveals that 45% of data breach victims have less confidence as a result of their attack.

To help lessen some of the negative feelings that victims have after a data breach, you should write a notification letter that openly addresses what they need to know and does so in a thoughtful manner.

Before you start writing the notification letter, though, you need to contact your legal counsel and your IT team or service provider to see if the letter needs to meet any country, region, or industry-specific regulations. Some regulations, for example, require that you include specific content or notify victims within a certain time period after you become aware of the data breach.

At this point, you can write the notification letter, incorporating any required content. When writing the letter, you should:

  • Provide details about the type of personal data that was lost and how it was lost, unless prohibited by law.
  • Discuss what you have done to prevent further unauthorized access of the individual’s personal data.
  • Explain the steps you are taking so that this type of incident does not happen again.
  • Present the options or next steps the person can take, such as signing up for a complimentary identity protection product.
  • Include a toll-free phone number that the person can call for more information. If you have set up a website to help victims, include its URL.
  • Outline the steps the individual can take to prevent and detect fraud.

When writing the notification letter, also keep in mind the following:

  • Take responsibility for the data breach and apologize at the beginning of the letter and again at the end.
  • Empathize with the victims.
  • Use language that the average person can understand. Avoid using industry jargon or legalese.
  • Do not include a link that the victims are expected to click for more information if notifying them by email. They are not likely to click it, as security experts warn against doing so, especially after a data breach.