8 Ways to Make Breach Notification Letters Effective
Read this post for the eight recommendations to help you write a clear, sensitive, concise, and informative breach notification letter.
After a data breach occurs, the data breach notification letter is often the first contact your organization will have with the victims of the incident. These are customers, employees, and other affected individuals who very well may be angry, frustrated, confused, and rightly worried about how the breach will affect their lives.
Breach notification letters are thus a critical first step to restore trust in your organization—and yet typically, their execution often leaves much to be desired. Here are eight recommendations to help you write a clear, sensitive, concise, and informative breach notification letter.
Incident Response Testing: Ensure compliance, lower risk
1. Don’t Delay
As we’ve discussed before, timing matters. If your breach notification letter goes out long after the breach occurred, the delay is going to upset the affected individuals regardless of what the letter says. If it goes out before you know the details of what happened and before you have a detailed plan in place, individuals may be frustrated and confused by your response.
In short, make sure that the letter is not rushed, but goes out as soon as possible and within the timeline established by state and federal laws.
2. Establish a Leader
Breach notification letters may be reviewed by as many as 20 people, including attorneys, compliance officers, high-level executives, PR staff, and communications teams.
Establish a single leader to guide the letter through discussions and the many inevitable revisions. That person should be able to educate those involved on the proper tone for the letter, the timeline, why certain details need to be included, and other elements of the process. The leader should also ensure that the original intent, clarity, and warmth of the letter does not get lost during the revision process.
3. Be Thorough and Transparent
The breach notification letter should be filled with the details that affected individuals want to know. Give them specific dates. Provide helpful background information (if it was a ransomware attack, for instance, briefly explain what that is). Detail the extent of the breach, who was affected, and how it happened.
It is especially critical that you lay out all the steps the organization has taken and will be taking to remedy the situation. Will you be offering new training, changing policies, or updating IT procedures? Do not simply say you are sorry, which may trigger affected individuals. Instead, offer specific resources and detail the remedies available to them.
The information contained in the letter will no doubt be sensitive, and likely embarrassing to the organization. But it is always worse to hide information, especially because you can be certain that the details will come out at some point. If customers or others learn that you withheld information, your reputation will suffer tremendously.
4. Follow the Law
The breach notification letter must follow state and federal regulations—but that doesn’t mean it’s easy. That’s why many organizations end up hiring outside attorneys or consultants that specialize in breach response. In fact, according to the Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, conducted by Ponemon Institute, 40 percent of healthcare organizations hire third parties to help with incident response, and 27 percent specifically hire a breach resolution provider.
Among other forms of assistance, experienced professionals can guide you through the various laws and regulations related to the timing and content of breach notification, which can vary greatly from one state to another. For instance, California requires that the title and headings in the notice be “clearly and conspicuously displayed.” In California and Wyoming, you need to state whether the notification was delayed due to a law enforcement investigation. And in Illinois, organizations must direct affected individuals to promptly change their online credentials.
5. Be Concise
You need to include details, but this is no time to wax poetic. Breach notification letters should be about two pages long, and no more than four pages. Use an insert to provide additional details, such as recommended steps that affected individuals should take to protect and restore their identities.
6. Consider Sending Different Letters to Different Groups
If your breach affected a variety of diverse parties—such as minors, cancer patients, deceased individuals, third-party vendors, or employees—you may want to send different letters to some or all of the different groups.
The bulk of the notification letters should not change—the story is the same and the details must be consistent. But, for instance, when writing to the families of deceased individuals, you may want to include a sensitive introduction apologizing for having to send a letter to grieving family members.
7. Be Sensitive
You can send your letter out in a timely manner and include all the right details. But if your letter lacks a personable tone and seems insensitive to the plight of the victims, you may still find that it is not well received.
When composing the letter, write as if you were the victim. What would you want to hear? Yes, legal ramifications must be considered, but you can still show that you really do care about what happened and are taking every measure possible to win back the trust that has been lost.
Also be sure not to inflame the situation. Use clear and calm language and avoid language about what the affected individual “must do” or what actions are needed “immediately.” You can convey the importance of the situation without fanning the flames of the crisis.
8. Back Up the Letter with a Full Response
Remember that your breach notification letter is just one piece—albeit a critical one—of your overall breach response. Before sending the letter, make sure you have all the other elements lined up, including a web page and call center.
Does the website offer pertinent details and resources? Are call center personnel well-trained, and are there enough of them to prevent long hold times? Those details matter a great deal to affected individuals who rightly expect the organization to provide an organized, efficient, and thorough breach response.
Again, it all starts with your breach notification letter. Following the recommendations listed here will help ensure that your post-breach communications get off on the right foot, so you can start winning back the trust and the revenue that the breach may have cost you.
Incident Response Testing: Ensure compliance, lower risk
About IDX
We're your proven partner in digital privacy protection with our evolving suite of privacy and identity products.