Breach notification letters should do three things: state the facts, describe the impact honestly, and give the reader a specific next step. Most I have read do the opposite — lawyer-speak, euphemism, and no clear action. Below are templates I keep in the incident binder, written in plain English and aligned to typical state AG model language. Have your counsel review any actual letter before it goes out.
Consumer Notification (Retail / General Public)
Subject: Notice of Data Security Incident
Dear [First Name],
We are writing to let you know about a security incident that
involved some of your personal information. We are sorry this
happened, and we want to be clear about what we know, what we
are doing, and what you can do.
What happened
On [discovery date], we detected unauthorized access to one of
our systems. Our investigation determined the access took place
between [start date] and [end date]. We engaged an independent
cybersecurity firm to investigate and have notified law
enforcement.
What information was involved
The information involved included your [name, email address,
[specific categories]]. [If SSN/financial data: Your Social
Security number [and / or driver's license number] was also
included.] [If no financial data: No financial account or
payment information was involved.]
What we are doing
We contained the incident, removed the unauthorized access, and
are strengthening our systems to reduce the risk of a recurrence.
We are offering you [24 months] of complimentary credit
monitoring and identity restoration services through [provider].
Enrollment instructions and your activation code are on the
enclosed page.
What you can do
- Enroll in the credit monitoring service using the enclosed code.
- Consider placing a free security freeze with the three credit
bureaus: Equifax, Experian, and TransUnion.
- Monitor your account statements and credit reports for any
activity you do not recognize.
- Review the enclosed "Information about Identity Theft
Protection" sheet for additional steps.
For more information
If you have questions, please call our dedicated response line
at [phone] between [hours] or email [address]. You may also
contact your state attorney general or the Federal Trade
Commission at identitytheft.gov.
We take this seriously and we are sorry for the concern it
causes you.
Sincerely,
[Name]
[Title]
[Company]Employee Disclosure
Employees deserve more detail than a consumer notice. They are not just affected individuals — they are the people who will have to field questions from customers, friends, and family.
Subject: Internal: Information about recent security incident
Team,
Earlier today we issued notices to affected individuals about a
security incident. I want to make sure you have the same
information and know how to respond to questions.
What happened
On [date] we detected unauthorized access to [system]. The
access occurred between [dates]. We contained it the same day.
Whose information was affected
[Number] individuals, including [categories: customers / employees /
prospects]. [If employee data affected: Some employee information
was also involved. Each affected employee is receiving a
personalized notice with details.]
What we are doing
- Engaged [forensics firm] to investigate.
- Notified [law enforcement / regulators].
- Offering [credit monitoring] to affected individuals.
- Implementing [specific remediation].
What you should do
- Do not speculate publicly or on social media. Direct media to
[comms contact]. Direct customer questions to [response line].
- If you believe your own information was affected, you will
receive a separate personalized notice.
- Review your own account statements and consider a credit freeze.
We will hold an all-hands on [date] to answer questions. Please
send anything you want covered to [address].
Thank you for the work you are doing through this.
[CEO name]B2B Customer Communication
For enterprise customers, a personal call from the account executive precedes any written notice. The written version should be factual and contract-aware.
Subject: Security Incident Notification — [Company]
Dear [Customer Contact],
Further to our call of [date], this is the written notification
required under Section [X] of our agreement.
Incident summary
On [discovery date], we detected unauthorized access to [system],
which [does / does not] process your data. Forensic investigation
concluded on [date]. [Summary of cause and scope.]
Impact to your data
[Specific summary of whether and how the customer's data was
affected, including categories and approximate volume.]
Response actions taken
[List: containment, eradication, forensic engagement, notifications
to affected data subjects, regulatory filings.]
Your obligations under applicable law
Based on the categories of data involved, you may have notification
obligations to your end users or regulators. We are available to
support those notifications, including providing additional
information needed for regulatory filings.
Next steps
- A technical briefing is available at your request.
- Our incident response team can be reached at [contact].
- Quarterly update calls will continue until the incident is fully
resolved.
We regret the impact and are committed to transparent communication.
Sincerely,
[Name, Title]Regulatory Filing Notes
Regulatory filings are not the place for narrative voice. Structure, timestamps, and specificity matter more than prose. A typical state AG filing uses a cover letter plus a copy of the consumer notice and includes:
- Date of discovery.
- Date and method of notification to affected residents.
- Number of residents of the state affected.
- Categories of personal information involved.
- Circumstances of the breach (brief factual summary).
- Remedial steps taken.
- Whether law enforcement is involved and whether notification was delayed at their request.
- Sample of the notice provided to affected individuals.
For SEC 8-K Item 1.05 filings: short, factual, and under counsel. "Material aspects" of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact. Avoid descriptive overreach. Amend as facts develop.
Things to Avoid in All Templates
- "Sophisticated cyberattack." Everyone is "sophisticated." It sounds defensive.
- "Abundance of caution." Translates to "we think nothing happened but we are telling you anyway." Just say what happened.
- "Your privacy is our top priority." Prove it; do not assert it.
- Unqualified speculation about the actor. Attribution claims are a discovery goldmine for plaintiffs.
- Promises you cannot keep ("this will never happen again").
Plain language. Specific facts. A clear next step. Counsel-reviewed. That is the structure. Keep the templates updated and exercise them in a tabletop once a year. When a real incident comes, the letter should take hours to finalize, not days.