How to Send Breach Notifications

It has happened. Despite the annual security training. Despite the investment in cyber security. Cybercriminals breached your systems and stole your customers’ information. What do you do now?

You’ll have to secure your network and determine which data may have been breached. But after you’ve shored up your systems, there’s still more work to do. In order to keep your customers’ trust, you should let them know what has happened and anything that you are doing to mitigate the situation. In addition, you are most likely required by law to notify affected users through what are called breach notifications (Check out our previous blog for Breach Notification Basics).

How do you do it?

Provide written notice to anyone who was affected by the breach in a timely manner. This can include sending physical mail and/or email.

You can also use substitute notice in addition, or sometimes instead of, individual notice if a large number of individuals were affected or if your contact information may be out of date. Substitute notice is not directly sent to the affected person but must be highly visible and may include putting the information on your website and distributing it through media outlets.

What to include:

1. Description of what happened. Include dates, what type of attack occurred, and how it happened. Being transparent is the best course of action and will help those affected to better understand the situation.
2. Description of information leaked. Include information on who was affected and what was leaked. Be specific so people know what information is no longer safe.
3. Steps for individuals to protect themselves. Let them know if they should change their passwords, cancel a credit card, monitor their credit reports, and any other helpful information. The FTC provides some helpful tips on how to recover from identity theft.
4. What you are doing to investigate, mitigate, and protect. Are you providing credit monitoring? Have you changed your policies or added new training to prevent future breaches? Have you updated your IT procedures? Has the breach been reported to the authorities? If a breach has occurred, you should be taking steps to prevent another incident. So, show that you are proactive and working hard to keep your customers safe in the future.
5. Anything else legally required. There are federal, state, and international laws about breach notifications. Make sure you include all that is necessary by law.
6. Contact information to answer follow-up questions. This can be confusing and frightening to those whose information has been stolen. Make sure you have a person or team in place to respond to questions and guide affected individuals through the process. You may want to create a new page on your website or even set up a call center if the breach is large.

Best Practices

When sending breach notifications, think about the affected users first and then your company and any relevant laws. Following are some tips on how to smoothly handle the process and provide the best response to help your affected customers.

• Despite what seems to be a large amount of information required, keep your notice concise.
• Write with a tone that shows you really do care and are taking measures to win back any lost trust.
• Send the information to those affected as soon as you can, but not before you have the details and a plan. Sending too late will make users feel less safe. Sending too early will leave users frustrated and confused since even you don’t fully know the situation.
• You should have all your collected data cataloged and know where it is stored so that if there is a breach, you know what data has been affected.
• Make sure the appropriate parties are included in the process – executives, attorneys, IT, and the PR or communications team.
• Know which states you operate in and what their laws are so that you can comply if there is a breach. Follow any state, federal, or international laws. If you do not have an internal legal team or this is outside their scope, you may need to hire outside attorneys or consultants.

Honesty

A proper breach notification can be the first step in restoring users’ trust. Being transparent about the situation is the right thing to do. There are consequences to doing things differently as you can read in a great blog about the LastPass breach – My Breakup Letter to LastPass – It’s All About Trust (blueprintcyber.com).

Be honest. Be quick to respond. Breaches happen despite our best efforts to prevent them, but you need to take responsibility. Give users notice as soon as you have enough details, so that they can protect their information. Be transparent about what was stolen, how it happened, and what you are doing to prevent future breaches.

Breach notifications may be required by law, but they are a great way to protect your customers and show them you are actively working to mitigate the situation and prevent further incidents.