Stay up to date with Pomerium news and announcements.
Data breaches can have severe consequences for any organization. Addressing these incidents requires swift action to secure systems, identify the source of the breach, work with law enforcement, and mitigate further damage. However, one of the most difficult tasks is notifying your valued customers. This step may lead to customer frustration, anger, and even the loss of loyal clients. That's why it's crucial to draft a well-thought-out data breach notification letter. To assist you, we've provided five sample breach notification letters below.
Ready-to-use template- General
Template- GRPD breach specific with important GDPR article links
Sample breach letter caused by exploiting third-party vendor vulnerability
Example- American Express
Example- Shields Health Care Group
1. Data Breach Notification Letter Template- General
This is a basic breach notification letter template you can copy-paste and use instantly.
Subject: Important Notice Regarding Data Breach Incident
Dear [Customer’s Name],
We are writing to inform you of a data security incident that may have involved some of your personal information. At [Company Name], we take the protection and privacy of your data very seriously, and we are committed to keeping you informed about important updates regarding your information.
What Happened?
On [Date of Discovery], we identified and confirmed that our systems had experienced a data breach. The incident happened on [Date of Breach], and we immediately took action by launching an investigation and engaging cybersecurity experts to assist in identifying the cause of the breach and mitigate its effects. Law enforcement authorities have also been notified and are investigating the matter.
What Information Was Involved?
The information that may have been compromised includes the following:
[List of potentially compromised data types, e.g., Name, Email Address, Phone Number, Account Information, Payment Information, Social Security Number]
At this time, we have no evidence that your information has been misused. However, we wanted to notify you about this incident so you can take the necessary precautions.
What We Are Doing
Upon discovering this breach, we immediately took the following steps to contain and resolve the issue:
Secured our systems by implementing additional security measures to prevent further unauthorized access.
Engaged third-party cybersecurity experts to conduct a thorough investigation.
Notified law enforcement authorities to assist in the investigation.
Initiated system updates to address vulnerabilities.
Offered identity theft protection services to affected individuals (if applicable).
What You Can Do
We recommend that you take the following actions to protect your personal information:
Monitor your accounts: Regularly check your account statements and credit reports for any suspicious activity.
Change your passwords: Update the passwords for your [Company Name] account and any other online accounts that may use the same credentials.
Activate identity protection services: We are offering [Name of Identity Theft Protection Service] free of charge for [Duration]. You can enroll by visiting [Link] or calling [Phone Number].
For More Information
We understand how unsettling this news may be and are here to help you through the process. If you have any questions or concerns, please do not hesitate to contact our dedicated customer support team at [Phone Number] or via email at [Email Address].
We sincerely apologize for any inconvenience this may have caused and want to assure you that protecting your information remains our top priority.
Sincerely, [Name] [Title] [Company Name]
Additional Resources:
Federal Trade Commission (FTC) – Identity Theft: [FTC Link]
Credit Reporting Agencies:
Equifax: [Equifax Contact Info]
Experian: [Experian Contact Info]
TransUnion: [TransUnion Contact Info]
2. Breach Notification Letter Template- GDPR Specific
When a breach involves GDPR, the procedures become significantly more complex, including the data breach notification to users. The template below includes all the essential information you are required to provide to your customers in compliance with GDPR.
[Company Name] [Company Address] [City, State, ZIP Code] [Date]
Subject: Important Notice Regarding GDPR Data Breach Incident
Dear [Customer’s Name],
We are writing to inform you of a recent data security incident that may have affected your personal data. As an organization, [Company Name] is committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). This notice is issued in line with our obligations under GDPR Article 33, which mandates that we notify you when your data may have been compromised in a data breach.
What Happened?
On [Date of Discovery], we became aware of a breach in our systems that resulted in unauthorized access to certain personal data. The breach occurred on [Date of Breach], and upon discovering this, we immediately took the necessary actions to mitigate the impact and ensure the safety of your data.
We acted swiftly by launching an internal investigation and engaging third-party cybersecurity experts to assist. We also notified the relevant supervisory authority, [Name of Supervisory Authority, e.g., the Information Commissioner’s Office (ICO)], as required under GDPR.
What Information Was Affected?
The breach may have involved the following types of personal data:
[List types of personal data compromised, e.g., Name, Address, Email, Payment Information, etc.]
Please note that at this time, we do not have evidence that your data has been misused. However, we are notifying you so that you can take appropriate precautions.
Measures We Have Taken to Ensure GDPR Compliance
In accordance with GDPR, we have taken the following steps:
Promptly reported the breach to the relevant supervisory authority within 72 hours of discovery, as required by GDPR Article 33.
Engaged cybersecurity experts to investigate the incident, identify the source, and address any vulnerabilities in our system.
Implemented additional security measures to prevent further unauthorized access, including enhanced encryption, stricter access controls, and continuous monitoring.
Informed affected individuals, like yourself, in compliance with GDPR Article 34, as your data may have been impacted by this breach.
Compensation and Identity Protection
We deeply regret any inconvenience this breach may cause you. To mitigate potential harm, we are offering the following compensation and services:
Identity theft protection: We are providing [Name of Identity Protection Service] free of charge for [Duration] to help monitor your personal information. You can enroll by visiting [Link] or contacting [Phone Number].
Compensation for direct financial impact: If you experience any financial loss directly linked to this incident, please contact us with evidence, and we will assess the situation for appropriate compensation, as outlined under GDPR Article 82 (Right to Compensation and Liability).
What You Can Do
Although we have taken every step to secure your information, we encourage you to:
Monitor your accounts for any suspicious activity or unauthorized transactions.
Change your passwords for any online accounts, especially those using the same credentials as your [Company Name] account.
Utilize the identity protection services we have provided to monitor for any misuse of your data.
Next Steps
We are continuing to monitor the situation closely and will provide updates if further significant developments arise. If you have any concerns or would like more information regarding your rights under GDPR, please feel free to contact us at [Email] or [Phone Number]. We are also happy to provide additional details on the measures we’ve taken to safeguard your data and our ongoing efforts to prevent future incidents.
We sincerely apologize for the inconvenience this may have caused and appreciate your understanding as we address this matter.
Sincerely, [Name] [Title] [Company Name]
Additional Resources:
Supervisory Authority Contact Information: [Contact Information for Supervisory Authority]
Your Rights under GDPR: [Link to GDPR Rights]
Identity Theft Protection Service Details: [Link to Service]
Customer Support: [Email/Phone]
3. Data Breach Notification Letter Sample
This is a well-written sample data breach notification letter that focuses on the vulnerability exploitation of third-party software. Feel free to modify and use it as you find necessary.
Subject: Critical Notification Regarding Data Breach Incident Involving Your Personal Information
Dear John Doe,
We regret to inform you about a serious security incident that has compromised the confidentiality of your personal information. As part of our ongoing commitment to transparency and privacy, we are writing to explain the details of this breach, the actions we are taking to resolve it, and the steps you can take to protect yourself.
What Happened?
On September 10, 2024, our security team detected a data breach involving a Man-in-the-Middle Attack. A well-known attacker group, BlackBasta, exploited a vulnerability in the enterprise VPN system used by our company, ABC Inc., for remote access. This vulnerability allowed the attackers to intercept and steal sensitive data being transmitted over our network.
The breach occurred on July 31, 2024, and it resulted in the compromise of personal identifiable information (PII), including social security numbers, of more than 100,000 individuals. The attackers subsequently sold the stolen data on the dark web for 2 million USD.
We understand how distressing this news may be, and we are working tirelessly to contain the impact of the breach and support affected individuals.
What Information Was Involved?
The data affected by this breach includes:
Full Name
Home Address
Email Address
Social Security Number
Phone Number
Other Personally Identifiable Information (PII)
At this stage, we have verified that none of your payment or financial data was compromised in the attack. However, the exposure of PII, especially social security numbers, carries significant risks.
What We Are Doing
We have taken the following immediate and long-term steps to address the breach:
Secured our systems: The vulnerable VPN system has been replaced by Pomerium, an advanced identity-aware access and continuous verification provider for a robust security posture.
Engaged cybersecurity experts: We have partnered with industry-leading cybersecurity firms to conduct a thorough forensic investigation and identify any remaining threats.
Informed the authorities: We have reported the breach to law enforcement and are fully cooperating with them in their investigation. A court case against the perpetrators, BlackBasta, is scheduled to begin on 18 September 2024.
Notification to affected individuals: In accordance with data privacy laws, including the General Data Protection Regulation (GDPR) and other relevant regulations, we are notifying all individuals whose data was compromised.
Offering identity theft protection: We are providing a free subscription to Identity Guard, the identity protection service for 24 months. This service will help monitor your personal information for any signs of misuse. You can enroll by visiting [Link] or contacting 123-4567-890.
What You Can Do
We strongly recommend that you take the following steps to protect yourself:
Monitor your credit reports: Keep a close watch for any unusual activity by regularly reviewing your credit reports. You can obtain free copies of your credit reports at TransUnion.com.
Place a fraud alert or credit freeze: Consider placing a fraud alert or credit freeze on your credit files to prevent any unauthorized access to your accounts.
Activate identity theft protection: Enroll in the identity theft protection services we are offering to ensure that your personal data is being monitored for suspicious activity.
Change your passwords: Update your passwords, especially for any accounts that use the same credentials as your ABC Inc., account.
Next Steps
We understand that this incident may raise concerns, and we are committed to providing you with the support you need during this time. Our investigation is ongoing, and we will continue to update you with any significant developments. If you have any questions or need additional information, please do not hesitate to reach out to our dedicated support team at 098-7654-321 or via email at support@abc.com.
We deeply regret that this incident occurred and apologize for any inconvenience or harm it may cause you. Rest assured, we are taking every measure to prevent similar incidents in the future and to hold the responsible parties accountable.
Sincerely, Jane Doe IT Head ABC Inc.
4. Security Breach Notification Letter Example: American Express
Take a look at this data breach notification example, sent by American Express in March 2024, to inform their customers about a recent security incident.
Protecting the security of our Card Members’ information is very important to us and we strive to let you know about security concerns as soon as possible. We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system. Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.
WHAT INFORMATION WAS INVOLVED?
At this time, we have been informed that your current or previously issued American Express Card account number, your name and other Card information such as the expiration date, may have been compromised. Please be aware that you may receive additional letters from us if more than one of your American Express Card accounts were involved.
WHAT WE ARE DOING.
Please be assured we are vigilantly monitoring your account for fraud and, if it should occur, you are not liable for fraudulent charges on your account. To learn more about the measures we take to help protect your account visit our Security Center atamericanexpress.com/fraudprotection.
WHAT YOU CAN DO.
We ask that you carefully review your account for fraudulent activity. Below are some steps you can take to protect your account.
· Login to your account at americanexpress.com/MYCAto review your account statements carefully and remain vigilant in doing so, especially over the next 12 to 24 months.
· If your card is active, sign up to receive instant notifications of potential suspicious activity by enabling Notifications in the American Express Mobile app, or signing up for email or text messaging atamericanexpress.com/accountalerts. Please make sure your mobile phone number and email address are also on file for us to contact you if needed.
OTHER IMPORTANT INFORMATION.
Included with this letter are some additional helpful tips and steps you can take to protect yourself against the risks of fraud and identity theft.
FOR MORE INFORMATION.
If you notice any suspicious activity on your account, please don’t hesitate to call us 24 hours a day, 7 days a week, at 1-855-693-2213. One of our Customer Care Professionals will be happy to assist you.
Especially in today’s environment, we understand that your security is paramount. We are strongly committed to protecting the privacy and security of your information and regret any concern this may have caused you. As always, thank you for your trust in us, and for your continued Card Membership.
Sincerely, Anneke Covell
Vice President, U.S. & AENB Privacy American Express Company
Additional Helpful Tips
Below are additional helpful tips you may want to consider to protect your Card and personal information:
· If your card is active, login to your account at americanexpress.com/MYCAto review your account statements carefully and remain vigilant in doing so, especially over the next 12 to 24 months.
· If your card is active, sign up to receive instant notifications of potential suspicious activity by enabling Notifications in the American Express Mobile app, or signing up for email or text messaging atamericanexpress.com/accountalerts. Please make sure your mobile phone number and email address are also on file for us to contact you if needed.
· Visit our Security Center atamericanexpress.com/fraudprotectionto learn more about the measures we take to help protect your account and the steps you can take to safeguard your information.
· Visit the Federal Trade Commission (FTC) website for information on how to protect yourself against ID theft and safeguarding your electronic devices from viruses and other malicious software by:
· Learning how to make protecting yourself from identity thieves part of your daily routine by visitingconsumer.gov/idtheftor call 1-877-IDTHEFT (438-4338) to learn more about identity theft and protective steps you can take or file a report. You can also contact the FTC at: Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington DC 20580.
· Help avoid, detect and remove viruses and other malicious software by protecting your computer from spyware and viruses that can cause it to run slowly or give fraudsters access to your personal information by visiting consumer.ftc.gov/articles/0011-malware.
· Review this additional information:
· Maryland, North Carolina and Rhode Island residents may also contact these agencies for information on how to prevent or avoid identity theft.
· For Maryland residents: You may contact the Office of the Maryland Attorney General, 200 St. Paul Place, Baltimore, MD 21202, http://www.marylandattorneygeneral.gov/, 1-888-743-0023.
· For North Carolina residents: You may contact the North Carolina Office of the Attorney General, Mail Service Center 9001, Raleigh, NC 27699-9001, http://www.ncdoj.gov/, 1-877-566-7226.
· For Rhode Island residents: You may contact the Rhode Island Office of the Attorney General, 150 South Main Street, Providence, RI 02903,http://www.riag.ri.gov, 401-274-4400.
· For Iowa residents: You are advised to report any suspected identity theft to law enforcement or to the Iowa Attorney General.
· For Massachusetts residents: You have the right to obtain a police report regarding this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.
· For Oregon residents: You are advised to report any suspected identity theft to law enforcement, including the Federal Trade Commission and the Oregon Attorney General.
· For Rhode Island residents: You have the right to file or obtain a police report regarding this incident.
· Contact the major credit bureaus to get useful information about protecting your credit, including information about fraud alerts, security freezes, or other steps you can take to protect yourself from fraud and identity theft. To obtain an annual free copy of your credit reports, visitannualcreditreport.com, or call toll-free at 1-877-322-8228. Credit bureau contact details are provided below:
· For Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, Puerto Rico, and Vermont residents: You may obtain one or more (depending on the state) additional copies of your credit report, free of charge. You must contact each of the credit bureaus directly to obtain such additional report(s).
· A fraud alert indicates to any business requesting your credit file that you suspect you are a victim of fraud and requires the business to verify your identity before issuing you credit. A fraud alert does not affect your ability to get a loan or credit, but it may cause some delay if you are applying for credit.
· You have the right to place a security freeze on your credit file free of charge. A security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, using a security freeze may delay your ability to obtain credit. To place a security freeze, you must contact each of the three credit bureaus listed above and provide the following information: (1) your full name; (2) SSN; (3) date of birth; (4) the addresses where you have lived over the past 2 years; (5) proof of current address, such as a utility bill or telephone bill; (6) a copy of a government issued identification card; and (7) if you are the victim of identity theft, include the police report, investigative report, or complaint to a law enforcement agency. If the request to place a security freeze is made by toll-free telephone or secure electronic means, the credit bureaus have one business day after receiving your request to place the security freeze on your credit report. If the request is made by mail, the credit bureaus have three business days to place the security freeze on your credit report after receiving your request. The credit bureaus must send confirmation to you within five business days and provide you with information concerning the process by which you may remove or lift the security freeze. There is no fee to place or lift a security freeze.
· Obtain or file a police report - You have the right to obtain any police report filed in regard to this incident. If you are the victim of fraud or identity theft, you also have the right to file a police report.
· Keep a record of your contacts - Start a file with copies of your credit reports, any police report, any correspondence, and copies of disputed bills. It is also useful to keep a log of your conversations with creditors, law enforcement officials, and other relevant parties.
5. Breach Notification Letter Example- Shields Health Care Group
On October 2, 2023, Shields Health Care Group sent this data breach notification letter to its customers.
Shields Health Care Group, Inc. (“Shields”) is providing notice of a data security event that may have involved individuals’ information. Shields provides management and imaging services on behalf of the health care facilities (“Facility Partners”) listed below. With the assistance of third-party forensic specialists, Shields took immediate steps to contain the incident and to investigate the nature and scope of the incident. Shields is issuing this notice on behalf of itself and the Facility Partners to communicate information about the incident, our response, and steps impacted individuals can take, if deemed appropriate.
What Happened? On March 28, 2022, Shields was alerted to suspicious activity that may have involved data compromise. Shields immediately launched an investigation into this issue and worked with subject matter specialists to determine the full nature and scope of the event.
This investigation determined that an unknown actor gained access to certain Shields systems from March 7, 2022 to March 21, 2022. Furthermore, the investigation revealed that certain data was acquired by the unknown actor within that time frame.
Shields worked with specialists to perform a comprehensive review of the potentially affected data to determine what individual personal information may have been involved, and began notifying individuals and regulators last year. Shields continued to review the potentially impacted information and recently completed this review. Additional notices were mailed beginning April 19, 2023.
What Information Was Involved? The type of information that was or may have been impacted could include one or more of the following: full name, Social Security number, driver’s license number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information.
What Are We Doing? Shields takes the confidentiality, privacy, and security of information in our care seriously. Upon discovery, we took steps to secure our systems, including rebuilding certain systems, and conducted a thorough investigation to confirm the nature and scope of the activity and to determine who may be affected. Additionally, while we have safeguards in place to protect data in our care, we continue to review and further enhance these protections as part of our ongoing commitment to data security.
We have notified federal law enforcement, and reported this incident to relevant state and federal regulators. Further, we directly notified impacted individuals where possible so that they may take further steps to help protect their information, should they feel it is appropriate to do so.
What Can Affected Individuals Do? We encourage impacted individuals to review Steps You Can Take to Help Protect Your Information, which is included below.
For More Information. We understand you may have additional questions concerning this incident. Individuals can direct questions to 617.984.3723. The call center hours are Monday through Friday, 9:00 am to 4:30 pm Eastern Standard Time (except U.S. holidays).
Steps You Can Take to Help Protect Your Information
Monitor Your Accounts
Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also directly contact the three major credit reporting bureaus listed below to request a free copy of your credit report.
Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the three major credit reporting bureaus listed below.
As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a credit freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a credit/security freeze on your credit report. To request a security freeze, you may need to provide the following information, depending on whether you make the request online, by phone, or by mail:
Full name (including middle initial as well as Jr., Sr., II, III, etc.);
Social Security number;
Date of birth;
Addresses for the prior two to five years;
Proof of current address, such as a current utility bill or telephone bill;
Social Security Card, pay stub, or W2;
A legible photocopy of a government-issued identification card (state driver’s license or ID card, etc.); and
A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if you are a victim of identity theft.
Should you wish to place a credit freeze or fraud alert, please contact the three major credit reporting bureaus listed below:
TransUnion Credit Freeze, P.O. Box 160, Woodlyn, PA 19094
Additional Information
You may further educate yourself regarding identity theft, fraud alerts, credit freezes, and the steps you can take to protect your personal information by contacting the consumer reporting bureaus, the Federal Trade Commission, or your state Attorney General. The Federal Trade Commission may be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above. You have the right to file a police report if you ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and your state Attorney General. Further, you have the right to obtain any police report filed in regard to this incident. This notice has not been delayed by law enforcement.
For District of Columbia residents, the District of Columbia Attorney General may be contacted at: 400 6th Street, NW, Washington, DC 20001; 202-727-3400; and oag.dc.gov.
For Maryland residents, the Maryland Attorney General may be contacted at: 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; 1-410-528-8662 or 1-888-743-0023; and www.oag.state.md.us.
For Massachusetts Residents, under Massachusetts law, you have the right to obtain a police report in regard to this incident. If you are the victim of identity theft, you also have the right to file a police report and obtain a copy of it.
For New Mexico residents, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer reporting bureaus must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to be provided to employers; you may limit “prescreened” offers of credit and insurance you get based on information in your credit report; and you may seek damages from violator. You may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage you to review your rights pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf, or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.
For New York residents, the New York Attorney General may be contacted at: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; 1-800-771-7755; or https://ag.ny.gov/.
For North Carolina residents, the North Carolina Attorney General may be contacted at: 9001 Mail Service Center, Raleigh, NC 27699-9001; 1-877-566-7226 or 1-919-716-6000; and www.ncdoj.gov.
For Rhode Island residents, the Rhode Island Attorney General may be reached at: 150 South Main Street, Providence, RI 02903; www.riag.ri.gov; and 1-401-274-4400. Under Rhode Island law, you have the right to obtain any police report filed in regard to this incident.
