How should I email users about a data breach?

Email marketer from Reddit suggests being honest and upfront about the breach, detailing exactly what happened and what information was compromised. Also, provide clear steps the customer can take to protect themselves and offer support.

Email marketer from heimdalsecurity.com shares that the notification should include: What happened, When it happened, What information was involved, What you are doing to resolve the problem, What they can do to protect themselves.

Email marketer from Securitymetrics.com recommends telling customers about the breach as soon as possible. The notification should include a description of the breach, the data that was compromised, what the company is doing to resolve the issue, and what customers can do to protect themselves.

Marketer from Email Geeks explains that you should send emails slowly, and by batch. With a very clear message (topic and content), no call to action or links whatsoever. Using the usual sending domain, potentially with a different user part.

Email marketer from Digital Guardian advises to be transparent, provide accurate details, and offer guidance on what affected individuals should do next. Also consider offering credit monitoring services.

Email marketer from pixelprivacy.com shares that you must provide detailed information regarding the breach. Affected customers should know exactly what happened, what data was involved, and the potential risks they face as a result.

Marketer from Email Geeks shares: Be selective of who you contact and exclude unsubscribes and spam complainers. Do batches. You may try to contact mailbox providers upfront. You may want to setup a dedicated subdomain for this particular sendout.

Email marketer from StackExchange shares the advice to include an apology, explain what happened and what data was affected, and what steps you are taking to fix the vulnerability. Also, suggest steps the user can take to protect themselves.

Email marketer from Github suggests the email should include a sincere apology, a clear explanation of what happened (avoiding technical jargon), a list of the specific data that was compromised, actions taken to secure the system, and steps the user can take to protect themselves.

Marketer from Email Geeks suggests pro-actively reaching out to some of the ISPs and give them a heads up about the upcoming email. It may not prevent all of the damage, but it could help.

Email marketer from Varonis advises to explain the incident, describe the impact and scope, explain what steps you’ve taken to remediate, and provide guidance for the recipient.

Marketer from Email Geeks shares that only individuals related to the data breach have to be contacted. Emails is one way, but not the only one, also data should have been deleted.

Email marketer from Paubox advises to act quickly and transparently to inform customers about the data breach, and what specific measures they can take to protect themselves.

Expert from Spam Resource explains it's important to tell people as soon as you know about the compromise, and what happened. Be honest, explain what you will do for them, and also do it. The important thing is to be transparent. If you don't let people know what's happening, they will be very angry at you.

Expert from Email Geeks recommends to not do all the mail at once, spread it out over time, don’t just drop a bomb of mail to everyone at once, and to start with the most active addresses and then work backwards.

Documentation from Australian Government explains that data breach notification emails should include: The nature of the breach, The kind of information concerned, What the organisation has done to respond to the breach, What steps individuals can take to protect themselves.

Documentation from GDPR explains that you must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority. Communicate the personal data breach to the data subject when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

Documentation from ico.org.uk explains that you should describe clearly the nature of the personal data breach, communicate the name and contact details of your data protection officer or other contact point where more information can be obtained, describe the likely consequences of the personal data breach and describe the measures taken or proposed to be taken to address the personal data breach, including, measures to mitigate its possible adverse effects.

Documentation from Federal Trade Commission explains that The advisory offers five key steps for businesses to take following a breach: Secure your systems, fix vulnerabilities that led to the breach, notify law enforcement if a crime was committed, review the Fair Credit Reporting Act (FCRA), and notify affected individuals.