Been Breached? A Response Plan

Should victims of a data breach be notified? This situation can be confusing due to various state laws. Certain issues must be considered, including differences among state laws. Differences include what exactly defines personally identifiable information; which agency (e.g., law enforcement, credit reporting) should be alerted; when victims should be notified; and what the notification letter should say.

4DLegal counsel can tell you what level of notification you’re entitled to. Not every data breach case requires that consumers or businesses be alerted. But not alerting has its own set of negative consequences.

When an incident does require notification, the information that follows must be considered: (these are general guidelines – review any and all steps with your attorney)

  • Treat all victims equally; all get notified, even if this means out of state. Not doing so can yield legal consequences or the media might pounce.
  • Though there aren’t really any notification laws regarding overseas victims, they too should be notified.


The sooner victims are alerted, the better. Under what circumstances, though, should victims be notified? The nature of the breach should be considered, along with type of information stolen and whether or not it may be misused, and the possible fallout of this misuse.

Damage from misuse can be significant, such as with stolen SSNs and names.

When in doubt, consult with legal counsel. Don’t be surprised if you’re informed that breached consumers must be notified; most states require this. And within 30 days. Some states mandate that the Attorney General’s office also be notified.

FTC Recommendations for Notification

  • Inform law enforcement when notification takes place so they don’t cross lines with it.
  • Also find out from them precisely what information the consumer notification should contain.
  • Select someone from your organization to manage release of information.
  • This contact individual should be given updated information concerning the breach, plus your official response, as well as guidelines for how victims should respond.
  • To aid victims’ communication options, consider providing a toll-free number, posting a website or mailing letters.
  • Explain clearly to victims just what you know of the breach. How did it happen? What information was stolen or compromised? How might the thieves misuse it? What actions have the organization taken for mitigation? What reactions are appropriate?
  • Make sure victims know how to reach the contact person.
  • Make sure the law enforcement official who’s working your case has contact information for victims to use.The officer should also know that you’re sharing this contact information.
  • Victims should ask for a copy of the police report, then make copies to give to credit card companies that have honored unauthorized charges.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.