If you need a data breach notification example to model your own customer communication, the goal is simple: be clear, accurate, and action-oriented. A strong notice explains what happened, what information may be involved, what you’ve done to contain the incident, and what the recipient should do next—without speculation, blame-shifting, or legal jargon that confuses people.
Below is a best-practice structure you can adapt, plus a ready-to-customize example letter and a dedicated section on wording to avoid.
Why a notification letter matters (beyond compliance)
A notification letter is often the first direct touchpoint affected individuals receive. Done well, it reduces uncertainty, helps people protect themselves, and demonstrates that your organization is taking accountability. Done poorly, it can create panic, invite misunderstandings, and increase reputational damage.
Notification requirements vary by jurisdiction and industry (for example, healthcare, finance, and education may have additional rules). If you’re building your incident response process, the FTC’s guidance on responding to a data breach is a useful baseline for recommended steps and customer communication considerations.
What to include in a breach notification letter (checklist)
Use the sections below as a modular checklist. Not every situation needs every detail, but omitting the essentials can undermine trust and limit recipients’ ability to act.
1) A clear opening statement and key dates
Start with a direct statement that a security incident occurred and that you are notifying the recipient. Include the date of discovery and (if known) the date range of unauthorized access.
- What to include: date discovered, incident window (if confirmed), when you are sending the notice.
- What to avoid: burying the lead, euphemisms, or vague phrases like “a situation occurred.”
2) What happened (facts only)
Explain the incident in plain language. Keep it factual and avoid speculation. If the incident is still under investigation, say that clearly and state what is confirmed today.
- Examples of factual framing: “An unauthorized party accessed an employee mailbox” or “We detected suspicious activity on a server that stores customer records.”
- Include: how you discovered it (high level), what systems were involved (high level), and what you have confirmed so far.
3) What information was involved (be specific)
List the types of data potentially affected. Recipients need specificity to understand risk and decide what protective steps to take.
- Common data types: name, address, email, phone number, date of birth, account number, payment card data, government ID numbers, medical information, login credentials.
- Best practice: state what was involved and what was not involved (only if you can confirm).
4) What you have done to contain and remediate
Explain concrete actions taken, such as disabling compromised accounts, resetting credentials, patching vulnerabilities, engaging forensic experts, and enhancing monitoring.
- Include: immediate containment steps, longer-term security improvements, and whether law enforcement was notified (if appropriate and permitted).
- Be careful: don’t reveal technical details that could help attackers replicate the incident.
5) What the recipient should do next (prioritize actions)
Make the “next steps” section easy to scan and prioritize. Provide a short list of the most important actions and optional follow-ups.
- Account security: reset passwords, enable multi-factor authentication, avoid password reuse.
- Fraud monitoring: review account statements, watch for suspicious emails/texts, consider placing a fraud alert or security freeze where available.
- Phishing warning: remind recipients you will not ask for passwords or full payment details by email.
6) Support channels and verification information
Provide contact details that help recipients confirm the notice is real and get assistance. Include a dedicated phone number, email address, and operating hours. Consider adding a reference ID for support calls.
- Include: toll-free number (if available), mailing address, website support page, and hours of operation.
- Accessibility: offer language support or alternative formats if applicable.
7) Any required regulatory language (industry-specific)
If you operate in a regulated sector, you may need additional required elements. For example, certain healthcare entities in the U.S. must follow the HHS HIPAA Breach Notification Rule overview for notices to individuals and other parties.
A best-practice structure you can copy (outline)
Use this structure as your internal template so every letter is consistent and complete.
- Subject line: “Notice of Data Security Incident” (or similar)
- Greeting
- What happened (dates + brief summary)
- What information was involved
- What we are doing
- What you can do (bulleted steps)
- How to contact us
- Closing (apology and commitment to updates)
Data breach notification letter example (customizable template)
Customize the bracketed fields and remove any sections that don’t apply. Do not include anything you can’t verify.
Subject: Notice of Data Security Incident
Dear [Customer/Member/Patient Name],
We are writing to inform you about a data security incident involving [Organization Name]. We take the privacy and security of personal information seriously, and we want to provide you with information about what happened, what information may have been involved, and steps you can take to protect yourself.
What happened
On [Discovery Date], we identified [brief description of incident, e.g., “unauthorized access to a company email account”]. Our investigation determined that the incident occurred between [Incident Start Date] and [Incident End Date] (or “on or around [Date]”). We promptly took steps to contain the incident, including [high-level containment actions]. The incident remains under investigation, and we will provide additional updates if new information becomes available.What information was involved
Based on our investigation to date, the information involved may have included: [list specific data elements, e.g., name, address, date of birth, account number]. We have no evidence at this time that [optional: “your information has been misused”] (only include if true and defensible).What we are doing
We took immediate action to secure our systems and reduce the risk of a similar incident, including: [resetting passwords/enhancing monitoring/engaging cybersecurity experts/patching systems]. We are also reviewing and strengthening our security controls.What you can do
We recommend the following steps to help protect your information:• Change passwords for any accounts that use the same or similar password as your [Organization/Service] account, and enable multi-factor authentication where available.
• Monitor your financial accounts and credit reports for suspicious activity.
• Be cautious of emails, calls, or texts that ask for personal information or direct you to provide login credentials. [Organization Name] will not ask you to share your password via email.For more information
If you have questions, please contact our dedicated support line at [Phone Number] (available [Hours/Time Zone]) or email us at [Support Email]. When contacting us, please reference: [Reference ID].We regret any concern this incident may cause. Protecting your information is important to us, and we are committed to maintaining your trust.
Sincerely,
[Name]
[Title]
[Organization Name]
[Organization Address]
What to avoid: wording that increases risk and distrust
The wrong phrasing can create legal exposure, confuse recipients, or undermine credibility. Use the guidance below to tighten your message.
Avoid minimizing language
Don’t tell people they “don’t need to worry” or imply the incident is insignificant. Affected individuals should decide their own risk tolerance based on facts.
- Avoid: “This incident is not serious.”
- Use instead: “We are sharing details and recommended steps you can take.”
Avoid speculation and absolutes
Never guess about what happened or make promises you can’t prove (for example, that misuse “will not” occur). If investigation is ongoing, say so.
- Avoid: “We are certain your information was not accessed.” (unless you can prove it)
- Use instead: “Our investigation indicates [what is confirmed].”
Avoid blaming third parties or recipients
Even if a vendor was involved, blaming others reads as deflection. Focus on what you’re doing and what the recipient can do.
- Avoid: “This is the vendor’s fault.”
- Use instead: “We are working with our service providers and experts to investigate and remediate.”
Avoid technical overload
Too much technical detail can confuse recipients and potentially aid attackers. Keep technical explanations minimal and centered on impact.
- Avoid: detailed logs, exploit names, firewall rules, or internal system diagrams.
- Use instead: a high-level description of the affected system and the type of access.
Avoid mixed messages about action steps
If you recommend monitoring or password changes, don’t undercut it with contradictory language. Your recommended actions should match the data involved.
- Avoid: “No action is required” followed by a long list of steps.
- Use instead: “We recommend these steps out of an abundance of caution.”
Practical delivery and follow-up tips
A good letter is only one part of the response. Plan for recipients’ questions and for consistency across channels (email, mail, help center, and support scripts).
- Make it verifiable: Publish a matching notice on your official website and ensure support teams can confirm the incident details.
- Prepare your call center: Provide agents with an FAQ and escalation path for suspected identity theft.
- Keep a timeline: Document decisions, dates, and actions taken. This supports both transparency and internal learning.
- Use established incident response practices: Consider aligning internal handling with recognized guidance such as the NIST Computer Security Incident Handling Guide (SP 800-61).
FAQs
Should we send email, postal mail, or both?
Use the method required by applicable laws and your customer agreements. Many organizations use both email (fast) and postal mail (more universal and less likely to be missed), especially when high-risk data is involved.
How detailed should “what happened” be?
Include enough detail for recipients to understand the nature of the incident and how it may affect them, but avoid technical specifics that don’t change the recipient’s actions or that could aid attackers.
Do we need to offer credit monitoring?
It depends on the type of information involved and your legal and contractual obligations. If the breach includes data that can enable identity theft (for example, government ID numbers), many organizations provide credit monitoring or identity protection services and clearly explain enrollment steps and deadlines.
Can we say “no evidence of misuse”?
You can say it only if it’s true and supported by what you have visibility into. Pair it with practical precautions so recipients still know what to watch for.
What if we don’t yet know exactly whose data was affected?
Be transparent about what is known and what is still being investigated. If you are notifying out of caution due to incomplete logs or uncertain scope, explain that plainly and commit to follow-up if the scope changes.
Use this data breach notification example as a starting point, then tailor it to your incident facts, audience, and legal requirements.
