Nobody wants to write a data breach letter
Clearly, nobody wants their company to be involved in a data breach. However, if you do end up in this situation, responding properly can reduce your liability and help salvage your reputation. Therefore, make sure you plan for how you will handle data breaches. One of the most important components in that plan will be how you notify your customers and other affected. Let’s talk about how to write a data breach letter.
When should I report a breach to the authorities?
According to GDPR, you must report any data breach that is likely to result in a risk to the rights and freedoms of individuals within 72 hours. As soon as you realize you’ve had a data breach, perform a risk assessment. Try to determine:
- How many people were affected
- What types of personal data were affected
- What are the risks for people’s privacy
- How you will respond
Gathering this information will help you properly notify your local data protection authority. Note that the 72-hour timeframe starts from the moment you become aware of the breach, you do not get extra time to complete your investigation. Putting off reporting a breach can result in further fines and penalties.
What should I say when I notify the authorities?
When you notify the supervisory authority that you have had a data breach, always include:
- Who was affected (customers, employees, etc.), and how many people were affected.
- What types of personal records were breached and approximately how many.
- The contact information for your DPO or another contact person.
- An assessment of any likely consequences of the breach for people affected.
- What you’ve done or propose to do to mitigate potential harm from the breach.
Now, let’s talk about when you should notify people affected and how to do it properly.
When should I notify people affected?
GDPR article 34 states that when a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, you should notify the data subjects it may affect, without undue delay.
It does mention a few exceptions where you may not need to notify individuals of the breach. For example:
- If the personal data involved in the breach was protected with encryption or other measures that make it unintelligible to unauthorised persons.
- If, after the breach, you took subsequent measures to ensure that it is no longer likely to cause a high risk to the rights and freedoms of data subjects.
- When notifying people individually would involve disproportionate effort. In that case, you can publish a public communication or similar measure to inform data subjects effectively.
If you think one of these exceptions applies to you, you can wait to see if the supervisory authority requires you to inform people of the breach. On the other hand, if your own risk assessment shows that the data breach is likely to put people at risk, it is best to let them know right away. Again, this will reduce your liability in the long run. Further, it will help protect the people whose data was breached.
What to say in a data breach letter to customers?
Your data breach notification letter to customers should give them a clear, easy to understand description of what happened and what you are doing about it. It should also tell them what they can do to protect themselves. Before drafting your letter, prepare answers to the following questions:
- When was the breach and what exactly happened?
- Will there likely be consequences or harm for the person?
- What have I already done and plan to do to protect them?
- What will I do to prevent this from happening again?
- Are there things the person can do to protect themselves?
- Who should they contact for more information?
- How can they lodge a complaint?
Once you have prepared the answers to these questions, you are ready to draft your letter. Remember to be transparent. Take accountability for the breach. Finally, make it clear that your company takes people’s privacy seriously and that you will continue to do all you can to protect it.
Data breach letter template
Try adapting this data breach letter template to report a privacy breach incident to affected people:
Subject: Data privacy breach incident
Dear [first name],
We are writing to let you know about a recent privacy incident that affects your personal data. On/starting [date], [use clear simple language to describe exactly what happened and why you consider it a privacy breach.]
Our investigation shows that some information about you was involved, including your:
- [List the personal information affected.]
- [For example, the person’s name, residential address, birth date, phone number, credit card number, PINs, etc. This will help the person evaluate for themselves how harmful the breach may be and take their own steps to protect themselves.]
This incident did NOT affect your:
- [If other, more confidential information was kept safe from being involved in the breach, list those categories here to reassure the person. For example, billing information, health records, etc.]
Please carefully consider whether a privacy breach of the information we mentioned above might harm you. If so, here are a few things you can do to protect yourself.
[Include some/all of the following sections, depending on what data was leaked.]
Reduce marketing calls and spam
- Register your number/email with [local agency, explain how they can help].
- Contact your service provider and request to change your number.
Prevent identity theft
- Watch out for emails and telephone calls asking for your personal info.
- Change your account passwords.
- Contact [local organisation] for additional guidance on the steps you can take to protect yourself from identity fraud.
Protect your financial accounts
- Alert banks and credit cards so they can monitor and secure your accounts.
- Closely monitor your statements for unauthorised transactions
- Report any suspicious transactions immediately to your financial institution.
- Change your online banking passwords, PINs, etc.
- Enable multi-factor authentication wherever possible.
- Contact [local credit reporting agencies] to check whether anyone is using your identity to obtain credit or to request a credit ban.
If you have any questions or concerns, please contact:
[Your DPO or another contact person within your company.]
If you are not satisfied with how we have handled this incident or you have experienced some harm as a result of it, you can make a privacy complaint at [email].
Please explain how you have been affected and what we can do to resolve your complaint. If we cannot resolve the issue, you can also make a complaint to [local data supervisory authority]:
[Local data supervisory authority contact]
Your privacy is our priority and we will continue to monitor the situation and use every recourse to protect your personal data. Please do not hesitate to contact us with any questions.
Detect, contain, and report breaches on time
Unfortunately, most companies are not prepared to detect and respond to data breaches. With more and more records in company storage, it is getting harder and harder to keep track of them and be sure they are really safe. In fact, IBM’s annual Cost of Data Breach Study found that the average time to discover a breach has increased by nine days since 2018.
Naturally, we’d like to see that number go down. However, if you do not have visibility on your files, you will not be able to spot problems on time. Performing regular data inventories can help. But, combing through your files manually is not a realistic solution. Instead, use an automated data inventory tool to perform this task quickly, regularly, and with high accuracy.
DataMapper can help you:
- See what personal data you have and where you store it.
- Find out who on your team has access to personal data you store.
- Spot data you’ve kept too long that may create unnecessary liability.
- Show customers and data authorities that you are doing your part to prevent, detect, and report breaches on time.
Learn more about DataMapper.