How to write a data breach letter

Clearly, nobody wants their company to be involved in a data breach. However, if you do end up in this situation, responding properly can reduce your liability and help salvage your reputation. Therefore, make sure you plan for how you will handle data breaches. One of the most important components in that plan will be how you notify your customers and other affected. Let’s talk about how to write a data breach letter.

When should I report a breach to the authorities?

According to GDPR, you must report any data breach that is likely to result in a risk to the rights and freedoms of individuals within 72 hours. As soon as you realise you’ve had a data breach, perform a risk assessment. Try to determine:

• How many people were affected
• What types of personal data were affected
• What are the risks for people’s privacy
• How you will respond

Gathering this information will help you properly notify your local data protection authority. Note that the 72-hour timeframe starts from the moment you become aware of the breach, you do not get extra time to complete your investigation. Putting off reporting a breach can result in further fines and penalties.

Start your GDPR cleanup where it is needed the most

Sensitive data can tends to accumulate in the employees' e-mails. With a GDPR Risk Scan from DataMapper, you get a report that shows any potential GDPR risks in the company's e-mails.

What should I say when I notify the authorities?

When you notify the supervisory authority that you have had a data breach, always include:

• Who was affected (customers, employees, etc.), and how many people were affected.
• What types of personal records were breached and approximately how many.
• The contact information for your DPO or another contact person.
• An assessment of any likely consequences of the breach for people affected.
• What you’ve done or propose to do to mitigate potential harm from the breach.

Now, let’s talk about when you should notify people affected and how to do it properly.

When should I notify people affected?

GDPR article 34 states that when a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, you should notify the data subjects it may affect, without undue delay.

It does mention a few exceptions where you may not need to notify individuals of the breach. For example:

1. If the personal data involved in the breach was protected with encryption or other measures that make it unintelligible to unauthorised persons.
2. If, after the breach, you took subsequent measures to ensure that it is no longer likely to cause a high risk to the rights and freedoms of data subjects.
3. When notifying people individually would involve disproportionate effort. In that case, you can publish a public communication or similar measure to inform data subjects effectively.

If you think one of these exceptions applies to you, you can wait to see if the supervisory authority requires you to inform people of the breach. On the other hand, if your own risk assessment shows that the data breach is likely to put people at risk, it is best to let them know right away. Again, this will reduce your liability in the long run. Further, it will help protect the people whose data was breached.

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple , which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

What to say in a data breach letter to customers?

Your data breach notification letter to customers should give them a clear, easy to understand description of what happened and what you are doing about it. It should also tell them what they can do to protect themselves. Before drafting your letter, prepare answers to the following questions:

• When was the breach and what exactly happened?
• Will there likely be consequences or harm for the person?
• What have I already done and plan to do to protect them?
• What will I do to prevent this from happening again?
• Are there things the person can do to protect themselves?
• Who should they contact for more information?
• How can they lodge a complaint?

Once you have prepared the answers to these questions, you are ready to draft your letter. Remember to be transparent. Take accountability for the breach. Finally, make it clear that your company takes people’s privacy seriously and that you will continue to do all you can to protect it.

Data breach letter template

Try adapting this data breach letter template to report a privacy breach incident to affected people:

Subject: Data privacy breach incident

Dear [first name] ,

We are writing to let you know about a recent privacy incident that affects your personal data. On/starting [date], [use clear simple language to describe exactly what happened and why you consider it a privacy breach.]

Our investigation shows that some information about you was involved, including your:

• [List the personal information affected.]
• [For example, the person’s name, residential address, birth date, phone number, credit card number, PINs, etc. This will help the person evaluate for themselves how harmful the breach may be and take their own steps to protect themselves.]

This incident did NOT affect your:

• [If other, more confidential information was kept safe from being involved in the breach, list those categories here to reassure the person. For example, billing information, health records, etc. ]

We take incidents like this very seriously, and we have already [d escribe the steps you have taken to minimise harm caused by the breach]. Additionally, we will be [list additional steps you intend to take to contain the breach and protect the person]. Moving forward, we will use [d escribe new policies, software, services or other measures you will use to reduce the likelihood of similar problems in the future].

Please carefully consider whether a privacy breach of the information we mentioned above might harm you. If so, here are a few things you can do to protect yourself.

[Include some/all of the following sections, depending on what data was leaked.]

Reduce marketing calls and spam

• Register your number/email with [local agency, explain how they can help].
• Contact your service provider and request to change your number.

Prevent identity theft

• Watch out for emails and telephone calls asking for your personal info.
• Change your account passwords.
• Contact [local organisation] for additional guidance on the steps you can take to protect yourself from identity fraud.

Protect your financial accounts

• Alert banks and credit cards so they can monitor and secure your accounts.
• Closely monitor your statements for unauthorised transactions
• Report any suspicious transactions immediately to your financial institution.
• Change your online banking passwords, PINs, etc.
• Enable multi-factor authentication wherever possible.
• Contact [local credit reporting agencies] to check whether anyone is using your identity to obtain credit or to request a credit ban.

If you have any questions or concerns, please contact :

[Your DPO or another contact person within your company.]

If you are not satisfied with how we have handled this incident or you have experienced some harm as a result of it, you can make a privacy complaint at [email] .

Please explain how you have been affected and what we can do to resolve your complaint . If we cannot resolve the issue , you can also make a complaint to [local data supervisory authority]:

[Local data supervisory authority contact]

Your privacy is our priority and we will continue to monitor the situation and use every recourse to protect your personal data. Please do not hesitate to contact us with any questions.