By Eduard Goodman,

The news is bad: Your company suffered a data breach. Don’t make it worse by sending out a confusing, overly technical or outright alarming letter to your customers.

In 46 states, companies that have suffered a data breach are required to send letters to all affected parties whose personal identifying information has been compromised. These letters must comply with state laws, but compliance doesn’t mean the letters have to read like legalese or cause undue panic. The goal is to inform, educate and reassure your customers, not bore or scare them. You want—and need—them to read it, so how do you make the letter as helpful and appealing as possible? Check out these 4 tips:

  1. Think carefully about voice and tone. What is the company’s persona, and how can you remain consistent with it while also conveying the necessary information? Softening the language, keeping it straightforward, concise and reader-friendly, goes a long way toward reassuring customers that you’re going to take care of them.
  2. Tell your customers as much as you can about the data breach incident (unless you’re in a state whose law doesn’t allow you to). The method of loss is often as important as the breach itself. If a laptop with sensitive data was stolen from a car, odds are the thieves only wanted the computer. But if a company database was hacked, that’s another story. Customers deserve to know this information. The more forthright you are, the more convincing and reliable you are when you promise to clean up the mess—and when you encourage them to accept credit monitoring and identity theft protection. Also, why tie up phone lines and service reps with unnecessary calls when you can address these questions up front?
  3. Consider your audience. If most of your customers fit a certain profile—perhaps they’re under 18 or senior citizens or their primary language is one other than English—then you’ll need to draft your letter accordingly, because the usual steps may not apply (parents can’t monitor a minor child’s credit when they don’t have a credit file, for example). Consider sending the letter in English and any other relevant languages to ensure that they’ll read and understand it.
  4. Make it readable. Draft an outline and use the high-level bullet-points as boldfaced topic headings in your letter. People tend to skim these kinds of communications, so keep it short and clear, and make it easy for them to spot the important stuff—they’ll be more likely to get your message.

Remember: You don’t want to simply comply—you want to communicate. Let your customers know that you made a mistake, you care about them, and you’re going to make it right. After a data breach, a letter that strikes the wrong tone or doesn’t convey the right information can convince people to take their business elsewhere. Don’t lose your customers—stand behind them.


Eduard Goodman, Chief Privacy Officer,
An internationally trained attorney and privacy expert, Eduard has more than a decade of experience in privacy law, fraud and identity management. He is a member of the state bar of Arizona and served as the 2008-2009 section chair of the bar’s Internet, E-Commerce & Technology Law Practice Section.


Leave a Reply