Summary
When emailing users about a data breach, prioritize promptness, transparency, and providing actionable information. Notify only affected individuals, excluding unsubscribes and ensuring data has been deleted when possible. Send communications in batches, starting with the most active users, and consider a dedicated subdomain. Describe the nature of the breach, the compromised data, potential risks, and remediation measures. Provide contact information for further inquiries and guide users on protecting themselves. Secure systems, fix vulnerabilities, notify law enforcement if needed, and comply with regulations like GDPR and FCRA. An apology and a clear, jargon-free explanation are vital, along with actions taken to prevent recurrence. Transparency and fulfilling promised actions foster trust and mitigate negative reactions.
Key findings
- Transparency: Be honest and upfront about the breach, detailing exactly what happened and what information was compromised.
- Actionable Information: Provide clear steps the customer can take to protect themselves and offer support.
- Promptness: Tell people as soon as you know about the compromise.
- Selective Notification: Contact only individuals related to the data breach and exclude unsubscribes.
- Batch Communication: Send emails in batches to avoid overwhelming mail servers.
Key considerations
- Legal Compliance: Comply with regulations like GDPR, FCRA and other data protection laws.
- ISP Notification: Consider proactively notifying ISPs about the upcoming communication.
- Dedicated Subdomain: Use a dedicated subdomain for breach-related communications.
- Security Measures: Focus on securing systems and fixing vulnerabilities to prevent future incidents.
- User Trust: Maintaining user trust is paramount; be transparent and fulfil promised actions.
What email marketers say
13 marketer opinions
When emailing users about a data breach, prioritize transparency, speed, and clarity. Notify affected individuals as soon as possible, providing comprehensive details about the breach including what happened, what data was compromised, potential risks, and steps taken to resolve the issue. Offer guidance on how users can protect themselves and consider providing support or services like credit monitoring. Segment your audience, excluding unsubscribes and hard bounces, and send emails in batches to avoid deliverability issues. Proactively inform ISPs, use a dedicated subdomain, and consult legal and ESP teams. Always apologize, explain the vulnerability, and act transparently.
Key opinions
- Be Transparent: Honesty and transparency are crucial; explain exactly what happened and what information was compromised.
- Provide Details: Offer comprehensive details about the breach, including the nature of the incident, the type of data affected, and potential risks to users.
- Offer Guidance: Provide clear, actionable steps users can take to protect themselves following the breach.
- Act Quickly: Notify affected individuals as soon as possible after the breach is discovered.
- Segment Audience: Carefully select the recipients; exclude unsubscribes and hard bounces to improve deliverability.
Key considerations
- Legal Consultation: Consult your legal team to ensure compliance with data breach notification laws and regulations.
- ISP Notification: Consider proactively notifying ISPs to mitigate potential deliverability issues.
- Dedicated Subdomain: Set up a dedicated subdomain for breach-related communications to clearly indicate the purpose of the emails.
- Batch Sending: Send emails in batches to avoid overwhelming mail servers and to monitor deliverability.
- Support Services: Consider offering credit monitoring or other support services to affected individuals.
Marketer view
Email marketer from Reddit suggests being honest and upfront about the breach, detailing exactly what happened and what information was compromised. Also, provide clear steps the customer can take to protect themselves and offer support.
5 Sep 2024 - Reddit
Marketer view
Email marketer from heimdalsecurity.com shares that the notification should include: What happened, When it happened, What information was involved, What you are doing to resolve the problem, What they can do to protect themselves.
26 Dec 2022 - heimdalsecurity.com
What the experts say
2 expert opinions
When emailing users about a data breach, transparency and timely communication are paramount. Inform affected individuals as soon as the compromise is known, providing honest details about what occurred. To avoid overwhelming systems and ensure deliverability, stagger communications, prioritizing the most active users first. Outline the actions you will take to support affected users and ensure you follow through, as transparency builds trust and prevents further anger.
Key opinions
- Timely Disclosure: Inform users about the compromise as soon as it is discovered.
- Transparency: Be honest and open about what happened, providing clear details.
- Staggered Communication: Avoid sending all notifications at once; spread them out over time, starting with active users.
Key considerations
- Action Plan: Clearly outline and follow through on the steps you will take to support affected users.
- User Trust: Transparency and prompt action are crucial for maintaining user trust and preventing negative reactions.
- Deliverability: Sending emails in batches helps manage server load and improve deliverability rates.
Expert view
Expert from Spam Resource explains it's important to tell people as soon as you know about the compromise, and what happened. Be honest, explain what you will do for them, and also do it. The important thing is to be transparent. If you don't let people know what's happening, they will be very angry at you.
12 Jan 2022 - Spam Resource
Expert view
Expert from Email Geeks recommends to not do all the mail at once, spread it out over time, don’t just drop a bomb of mail to everyone at once, and to start with the most active addresses and then work backwards.
14 Aug 2023 - Email Geeks
What the documentation says
4 technical articles
When emailing users about a data breach, regulatory documentation emphasizes clear communication, prompt action, and comprehensive disclosure. Describe the nature of the breach, contact information for further inquiries, potential consequences, and measures taken to address the breach. Secure systems, fix vulnerabilities, notify law enforcement (if necessary), and review compliance with regulations like the Fair Credit Reporting Act. Notify supervisory authorities within mandated timeframes (e.g., 72 hours under GDPR) and communicate with affected individuals, especially when there's a high risk to their rights and freedoms. Include details about the information compromised, the organization's response, and steps users can take to protect themselves.
Key findings
- Clear Description: Clearly describe the nature of the data breach.
- Contact Information: Provide contact details for inquiries, such as a Data Protection Officer.
- Consequence Disclosure: Describe the likely consequences of the breach.
- Remediation Measures: Detail the measures taken or proposed to address the breach.
- Timely Notification: Notify supervisory authorities and affected individuals without undue delay (e.g., within 72 hours).
Key considerations
- Regulatory Compliance: Ensure compliance with relevant regulations like GDPR, FCRA, and Australian privacy laws.
- Risk Assessment: Assess the risk to individuals' rights and freedoms to determine the necessity and urgency of communication.
- Security Measures: Prioritize securing systems and fixing vulnerabilities to prevent future breaches.
- Law Enforcement: Notify law enforcement if a crime was committed.
- Individual Protection: Provide guidance on steps individuals can take to protect themselves from the breach's impact.
Technical article
Documentation from Australian Government explains that data breach notification emails should include: The nature of the breach, The kind of information concerned, What the organisation has done to respond to the breach, What steps individuals can take to protect themselves.
19 Aug 2023 - oaic.gov.au
Technical article
Documentation from GDPR explains that you must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. Communicate the personal data breach to the data subject when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
16 Aug 2021 - GDPR
Are abuse reports and feedback loops (FBLs) still useful in email marketing, and how do they work with different email clients?
How can email senders and users prevent and identify phishing emails?
How can I prevent brand and sender profile impersonation in emails and what actions can I take?
How can I use DMARC to prevent spammers from using my domain?
How do bounces and phishing attacks affect email deliverability and domain reputation?
What to do if your IP is blacklisted on SORBS?
