Whether a mistake, disgruntled employee, or hacker, security and privacy experts agree that it’s not a matter of if you and your business experience a data breach or data “incident” that require notifying, affected users, it’s a matter of when.

What should you say? How should you say it? The balance between taking responsibility and expressing empathy, while reassuring customers and not exposing your company to additional liability can be confusing, especially when facing notification deadlines in various U.S. states.

We’ve taken the guesswork out of what a formal notification to users with breached data should look like. You should of course, look up requirements for the state in which the user is a resident or headquartered and type of data hacked or accidentally disclosed

Data Breach laws by state: https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx 

Additional, Industry Specific U.S. Privacy Laws

HIPAA (Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191)

GLBA (Gramm-Leach Bliley Act)

COPPA (Children’s Online Privacy Protection Act)

FERPA (Family Educational Rights and Privacy Act)