What Business Leaders Need to Know About Privacy Breach Notifications

By Rebecca Herold

Last updated: April 18, 2020

There will come the inevitable day when your organization will need to make a privacy breach notice. Will you be prepared and know what to do when this day comes?

How to Give Notice

As applicable to the laws, regulations, and contracts for which your organization must comply, you will need to notify impacted individuals in a number of ways. Possibilities include a combination of the following:

  • Written notice

  • Telephone notice

  • Conspicuous posting of the notice on your website

  • “Substitute notice” as defined by the at-least 40 U.S. breach notice laws (including the District of Columbia) that are applicable to your organization

Providing notification using the first three of these methods (written notice, telephone notice, and website notice) is a good idea. You should not depend upon using just one type of notification; you would likely miss many people whose addresses or telephone numbers are no longer what you have on file or who may not use the internet.

Some Things to Know About Making Substitute Notice

Some organizations have chosen to give substitute notice instead of providing the required primary notifications without realizing it was not their choice to make! However, you need to know that making a substitute notification is typically not an either/or option. You must know the specifics for notification requirements within each of the breach notice laws for where the impacted individuals are from. For example, California (CA) SB 1386 and AB 1130 indicate that substitute notice can only be made if:

  • The cost of notice exceeds $250,000

  • The individuals to be notified exceeds 500,000

  • You do not have sufficient contact information for the individuals

The substitute notice options for CA SB 1386 and AB 1130 include doing all of the following:

  • Notice by electronic mail when you have an email address for affected individuals,

  • Conspicuous posting, for a minimum of 30 days, of the notice on the internet website page of the person or business, if the person or business maintains one; and

  • Notification to major state-wide

It is typically more efficient, and most public relations friendly, to comply with the most stringent of all the applicable laws.

Notification Communications Content

Communications to individuals notifying them that your organization experienced an information security incident that may have resulted in a possible compromise of their personal information (PI) should be written in a way that the typical consumer can understand. Avoid using legal jargon. Write it simply, in straightforward and plain English or whatever language is applicable.

Do not use legal phrases, such as “alleged violations”, “freezing assets”, “deliberate concealment”, and so on that are commonly used by lawyers but rarely by the typical consumer. Phrases such as these are inappropriate to use within notification communications. Using legal phrases just confuses most recipients and makes them think the organization trying to put something over on them.

And don’t try to pin the blame for the breach elsewhere; this comes over as completely disingenuous. Numerous studies show that individuals who are victims of privacy breaches appreciate communications from organizations that indicate the organization takes responsibility for the breach and provides useful information to the individuals to better deal with addressing the breach.

Do NOT use a breach notification letter as a marketing opportunity! The impacted individuals will quickly see this as the opportunistic action that it is.

Be sure to include information that describes the details of the privacy breach. You should list the types of PI that were breached – but of course do NOT include actual Social Security numbers, credit card numbers, or other actual PI;you don’t want to have another breach occur through your breach notification letter!

Explain at a high level what happened but do not provide details about the breach that could jeopardize the investigation or potential prosecution. For example, you can indicate that an employee had a laptop containing PI stolen from his or her home but do not provide the employee’s name or home address.

Include a high-level description of the actions your organization is taking in response to the breach along with what you are doing to help the impacted individuals. It is also a very good idea when a comparatively large breach occurs to establish a call center with well-trained staff available to answer questions about the breach.

Be sure your public relations and legal counsel review all communications prior to sending them!

Here is a high-level outline of the information that you should include within your breach notification communication to individuals:

  • Name of the individual whose information was the subject of the security breach

  • Name of the organization where the breach occurred and associated contact information

  • A description of the breach

  • A description of the types of personal information that were involved in the breach

  • The specific dates between the breach of the individual’s PI and discovery of the breach

  • Whether the notification was delayed as a result of a law enforcement investigation

  • A description of what your organization is doing in response to the breach

  • Any other information important for those whose PI was breached need to know

  • A description of what the individuals whose information was breached can do, such as providing toll-free numbers the individuals may want to contact

What to Do for Impacted Individuals

It should be obvious for organizations to provide the impacted individuals information about the steps they can take to protect themselves from being victims of identity theft as a result of the breach. It is becoming more and more common – and on the verge of being expected by the public – for organizations to provide certain types of services to impacted individuals. Although laws do not require these, most people expect them; thus, they are smart actions to take.

Some of the actions organizations are increasingly providing to impacted individuals include:

  • Credit Monitoring: When sensitive PI (such as Social Security numbers, credit card numbers, or other types of PI that can be used to commit identity theft) are compromised, organizations are increasingly providing one, and often even two, years of free credit monitoring services to the impacted individuals.

  • Credit Reports: Organizations should always inform the impacted individuals within the U.S. that the U.S. law entitles them to one free annual credit report from each of the three national credit reporting agencies: Equifax, Experian, and Trans Union.

  • Fraud Alerts: Organizations should suggest within their communications for the impacted individuals to place a fraud alert on their credit files. This will not cost the individuals anything, and they can catch criminal use of the credit cards almost as soon as they occur, if the purchases are outside of what is normal or expected for the individuals. The downside to this is that the individuals may get their legitimate credit cards declined whenever the fraud alert is on, so you need to warn individuals about this possibility.

  • Contact Law Enforcement: Urge the impacted individuals to call their local police or sheriff, or even the FBI, if they discover suspicious activity on their credit reports. Additionally, suggest to the impacted individuals that they should also consider contacting their applicable Department of Motor Vehicles (DMV) fraud hotline to place a fraud alert on their driver’s license when they see suspicious activities.

The three credit bureaus have set up one central website at www.annualcreditreport.com

Be Careful Using Email Notifications!

Email-only breach notification is a bad idea for many reasons:

  • It is highly likely in today’s spam-heavy environment that many, if not most, recipients will view such email notifications as spam and never read them, or their spam filters will delete them before they ever get to the inbox.

  • It is highly likely in today’s phish-abundant electronic waters that many, if not most, recipients will view such email notifications as phishing attempts without even reading them and will delete them.

  • It is highly likely that a large percentage of customers within a large group of impacted individuals will either no longer use the email address the company has on file for them or they may not check that email regularly, if at all.

  • Email is not a reliable form of communication. Just because you send an email, even to a valid email address, does not guarantee it will ever reach its recipient; businesses should not make the faulty assumption that just because you send an email it will be delivered.

  • If the email is sent to a “family” or shared type of email address, it is very possible the person who would recognize the importance of the information may never get the message before it is deleted by someone else who may have seen it first.

  • Only sending an email shows disregard for the customer and appears to just be a token action being done in a sorry attempt to appease regulators.

  • And, it is simply insufficient under many of the at least 54 US state and territory breach notice laws, and many other breach notice regulations.

NIST SP 800-61, the NIST Computer Security Incident Response Handling Guide, contains a very nice diagram on page 10 that demonstrates some of the many different types of organizations and parties that may need to be notified when a security incident and privacy breach occurs.

Breach Notification Timeframe

Most state notification laws require notification to affected individuals within “the most expedient time possible and without unreasonable delay.” Some states, such as Ohio and Wisconsin, require notification within 45 days of discovering the breach. However, some states have a shorter notification timeframe. For example, Texas requires that businesses that license data must notify “as quickly as possible.”

As a general rule of thumb, organizations should make notifications:

  • As quickly as possible

  • No later than 30 days after the date on which the breach of security was discovered

  • Consistent with measures necessary to determine the scope of the breach and restore the security and integrity of the data system, if a system was compromised

  • As appropriate to address law enforcement and homeland security related delays

Press Information

It important to think ahead and know the information you are going to release to the press about an information security and privacy breach. The basic information you should provide includes:

  • The individuals who are affected and not affected

  • The specific types of PI involved in the breach

  • A brief description of the breach including high-level details

  • Expression of regret and concrete steps the institution is taking to prevent this from happening again

  • The steps the impacted individuals should take

  • Who to contact for more information

  • Next steps for the breach response activities

You want to ensure that you provide enough information to answer basic questions the press and the impacted individuals have about the incident, but you also want to ensure that you do not release information that could jeopardize any legal actions your organization may decide to take.

You also want to ensure you do not use statements that will come across as condescending, flippant, or disingenuous. Watch out if you are thinking about using “No evidence to indicate data has been misused…” types of statements; they usually make the organization seem disingenuous or trying to play down the incident. Be humble. Don’t push the blame onto someone else if the incident was a result of someone within your organization or a weakness in your organization’s systems or procedures. And don’t forget to provide information for how the press and the impacted individuals can get more information on an ongoing basis.

Website Incident Information

If the breach is significant, it is usually a good idea to put up a website that provides information about the breach. This will help to cut down on calls directly into your organization. Plus, it shows goodwill effort on the behalf of your organization.

Here are some tips for what to put on your webpage dedicated to the privacy breach:

  • Put a “Most Recent Update About The Breach” section at the top of the webpage

  • Provide a copy of the notification letter, with appropriate components modified for the generic audience

  • Provide a link to the FTC’s Identity Theft website, credit agencies, and other sites useful to those impacted by the breach or interested in knowing more about the breach

  • A frequently asked questions (FAQ) document about the breach

  • Provide toll-free hotline contact information for your organization

Create Your Notification Communications Carefully

It is likely that many organizations (in addition to the impacted individuals) will be closely reviewing your notification communications. A few of these include:

  • Regulatory oversight agencies, such as the FTC and the FDIC in the U.S. and the Canadian provincial privacy commissioners

  • State Attorneys General

  • Data Protection Authorities from countries outside of the US

  • Lawyers representing impacted individuals

  • Privacy advocacy groups

  • News media

  • Competitors

Organizations need to be sure their communications come across as sincere, truthful, and sympathetic to those impacted while also providing meaningful information for the impacted individuals.

More Resources

Our ready-made Information Security and Privacy Breach Policies and Procedures provide a simple, step-by-step guided process to create a data breach policy or procedure for your business. They support a wide variety of regulations and standards, including the GLBA and HIPAA regulations, as well as the NIST and ISO/IEC standards. Just follow the instructions and enter your business’s information when indicated.