This is how you inform victims about a data breach

Is there a data breach in your own organisation? Or have you identified a data breach somewhere else in your environment and do you want to give the Dutch DPA a tip-off about it?

Directly reporting a data breach or giving a data breach tip-off 

Every data breach is different and requires a different approach. On this page you will find 8 recommendations with example texts. They will help you get started.

Note: It is your responsibility to draw up a clear warning message and to tailor your message to your specific situation. You are also obliged by law to do this.

Why is a clear warning message important?

A data breach may have very harmful consequences for the people whose data have been leaked.

• Have contact details been leaked? Then the victims are vulnerable to phishing. A phishing message looks like a message from your organisation, but is an attempt by criminals to scam your customers or contacts.
• Have passwords been leaked? Criminals can then log in to the accounts of victims, but also to other websites if victims use the same password.
• Have copies of identity documents been leaked? In that case, someone’s identity can be stolen. Every year, the Central Reporting Centre for Identity Fraud (CMI) receives around 7,000 reports of identity fraud.

Supervision by the Dutch DPA on warning messages

To prevent this kind of harmful consequences, it is very important that you inform the victims of a data breach in a proper manner. If you fail to do so, this may result in considerable (reputational) damage for your organisation as well. Besides, the Dutch Data Protection Authority (Dutch DPA) checks on a regular basis if organisations inform victims and how they do this.

8 recommendations for good warning messages

If you want to send a good warning message, pay attention to these 8 recommendations:

1. Communicate with the victims as soon as possible
2. Write a simple and clear text
3. Give a clear and complete description of what has happened
4. Indicate clearly which data have been leaked
5. Mention the probable consequences for victims
6. Where possible, give a specific advice to victims
7. Give a description of the measures that are taken by your organisation
8. Mention a point of contact that victims can turn to if they have questions

Below you will find explanations and examples.

1. Communicate with the victims as soon as possible

Let victims know without undue delay what has happened. If someone's data have been leaked, those may easily fall into the wrong hands. Avoid unpleasant consequences such as fraud and inform victims as soon as possible. Only then will they be able to take action as well.

Are you still investigating the data breach? And do you consequently not have all information yet? In that case, send a preliminary warning message first. Victims will then know that something has happened and can be alert to the abuse of their data. As soon as you know more about the data breach, you provide them with further information.

2. Write a simple and clear text

Make sure that the warning message can be understood by everyone. Use, for example:

• sentences of 10 words on average and no more than 15 words;
• few difficult words, and explain difficult words that you cannot avoid;
• clear subheadings;
• sufficient white space;
• enumerations instead of long sentences;
• the language of the country where the victims live.

Avoid jargon and provide the most important information immediately in a clear intro. Start by saying that a data breach has occurred. And that it has affected the personal data of the reader.

Split up a long sentence in several sentences, for example.

Wrong:

On 21 June, a data breach occurred within our organisation, which was the result of a ransomware attack and in which a number of your data, namely your name, email address and home address, were leaked.

Correct:

On 21 June, a data breach occurred at [name of your organisation]. Your name, email address and home address were leaked in this data breach. The data breach was caused by a ransomware attack. This means that criminals have your data now. We can no longer access the data. The attackers threaten to publish the personal data on the Internet.

Many victims are not familiar with terms such as ‘(spear) phishing’. Use as few of these kinds of terms as possible. Do you really not have an alternative for such a term? Then explain the term clearly.

Wrong:

Be extra alert to (spear) phishing in the coming period.

Correct:

Beware! Criminals may abuse your contact details. For fraud, for example.
They can send you an email that looks like a message from [name of your organisation]. This is called ‘phishing’. Because the criminals have your data, they can make the email look very personal. This makes the email seem reliable. You are asked to transfer money, for example. Or to click a link. If you do this, you may be scammed.

It is very important that victims open your warning message quickly and read it carefully. For this reason, put an alarming title in the subject line.

Wrong:

Subject: Information about your privacy

Correct:

Subject: Important: data breach involving your personal data

3. Give a clear and complete description of what has happened

Say in the warning message what kind of data breach it concerns. For example: a ransomware attack, phishing, or a letter that was sent to the wrong address. 

Is it still unclear what has happened? Say this too. And indicate when you will give the victims more information. Aa soon as the investigation into the data breach has been completed, for example. Also indicate if the data have fallen into the hands of unauthorised persons, have been lost, or that you can no longer access the data.

This text does not say clearly what type of data breach it concerns and what exactly has happened.

Wrong:

What has happened?
We regret to inform you that organisation has been faced with a data breach involving information of customers of [name of your organisation]. As a result, customer data may have ended up with third parties that could abuse them.

Correct:

What has happened?
There has been at data breach at [name of your organisation]. Information of our customers has been leaked. This was caused by a ransomware attack. As a result, we no longer had access to our system. The attacker also threatens to publish the personal data on the Internet. We are not yet certain if your personal data have also been leaked. We are still investigating this. You will receive more information within [period].

4. Indicate clearly which data have been leaked

Be as specific as possible about which data have been leaked (for example: name and address). Do not only mention the categories (for example: name and address details). Words like ‘for example’ or ‘such as’ may cause confusion for the victims.

Are there differences in which data of people have been leaked? Then identify as quickly as possible which situation applies for which victims. And draw up different warning messages for them.

Are you not (yet) certain which data have been leaked? Then indicate why this is unclear. And when you will be able to give the victims more information about this.

Wrong:

Which data have been leaked?
It is possible that your data have been leaked. This concerns data such as your name and address details and contact details.

Correct:

Which data have been leaked?
We do not yet exactly know which of your data have been leaked. We are still investigating this. You will receive more information within [period].

Probably, the following data of you have been leaked:
- name;
- telephone number;
- email address;
- citizen service number (BSN).

5. Mention the probable consequences for victims

Data breaches may result in the abuse of data. Through phishing, for example. Are there likely to be consequences for victims? Then you have to tell them which. And how they can protect themselves.

Wrong:

What does this mean for you?
Because your contact details have been leaked, you are vulnerable to phishing in the coming period.

Correct:

What does this mean for you?
Criminals may abuse your contact details. For fraud, for example.

They can send you an email that looks like a message from [name of your organisation]. This is called ‘phishing’. Because the criminals have your data, they can make the email look very personal. This makes the email seem reliable. You are asked to transfer money, for example. Or to click a link. If you do this, you may be scammed.

Criminals can also call you. The criminal then poses as a bank employee or a relative, for example. Are you asked to transfer money, provide passwords or download software on your computer? Do not do that. You may be scammed. Check therefore with your bank or relative first if they have really called you.

Answer these questions:

• Is there a risk of immaterial damage? Such as reputational damage, or exclusion? Or is there a risk of physical or material (financial) damage?
• Are personal data in the hands of a malicious person? A hacker, for example? If so, is there a risk of phishing or identity fraud?
• Have the personal data been returned to you in the meantime, or have they been destroyed by the party that wrongly received the data?
• Have contact details been leaked? And if so, how exactly can criminals use those data?

If passwords have been leaked, criminals can log in to other sites where victims use the same password. Explain that it is safer to use different passwords. And have people change their password for your website of customer environment.

Correct:

What does this mean for you?
Criminals can log in to your account. Do you use the same password on other websites? Then criminals can log in to those sites too. They can, for example, buy products in your name in online shops. Or view data in your account.

If copies of identity documents have been leaked, there is a risk of identity fraud. Clearly explain what identity fraud is and what someone can do.

Correct:

What does this mean for you?
Criminals can use a copy of your identity document to buy things, apply for a loan or sign a contract in your name.

Do you want more information about identity fraud? Or do you think that you have become a victim of identity fraud? Then you can contact the Central Reporting Centre for Identity Fraud(CMI).

6. Where possible, give a specific advice to victims

Does a data breach result in an immediate risk? If yes, provide victims with a clear and appropriate advice about how they can protect themselves. This advice depends on the situation. Victims can also look at: Victim of a data breach? This is what you can do.

Wrong:

What can you do yourself?
Be alert to phishing in the coming period.

Be as clear and specific as possible. A general warning for phishing is not enough. Tell victims how they can recognise suspicious messages. And what they absolutely must not do.

Correct:

What can you do yourself?
Pay careful attention in the coming period when opening links in emails, text messages and WhatsApp messages. You can recognise a suspicious email, text message or WhatsApp message by typing errors and unknown senders. Check the telephone number. Or what comes after the ‘@’ sign of an email address.

Do you get a telephone call? It could be that a real employee of your bank or another company is calling. You can check this by asking for the name of the employee and the general telephone number of the company. Indicate that you want to check if the person is a real employee and hang up. Check on the website of the company if the number is correct. Is the number correct? Then call yourself and ask for the employee who spoke to you.

Never give your password or pin code to someone.

Have passwords been leaked in the data breach? Then people have to adjust their password on every website on which they use this password.

Wrong:

What can you do yourself?
You have to adjust your password on our website.

Correct:

What can you do yourself?
Change your password on our website. Do you use the same password on other websites? Then change it there too. Choose a strong password that is not easy to guess. And use a different password for each account. You can store your passwords in a password manager. Then you do not have to learn all difficult or long passwords by heart.

Have full copies of identity documents been leaked in the data breach? That means: documents on which all data were visible, such as the BSN and the passport photo? And was there a cyber incident? In that case, victims have to report this to their municipality to prevent identity fraud.

Correct:

What can you do yourself?
Report to your municipality that a copy of your identity document has been leaked and apply for a new identity document. In this way, you prevent abuse of your personal data.

The Dutch DPA advises to refer victims to:

• information from the police about identity fraud (in Dutch);
• information from the Dutch central government about identity fraud .

7. Give a description of the measures that are taken by your organisation

You have to let victims know which measures you take to close the data breach and to prevent future data breaches.

Wrong:

Which measures have been taken?
When the data breach was discovered, we took measures to close the breach and prevent similar breaches in the future.

Do not only mention that measures have been taken, but also which measures. Does it concern technical measures? Explain them in simple and clear language. Did you ask external parties for advice? Then also say what that advice entails.

Correct:

Which measures did we take?
Our IT specialists have immediately removed the criminals from the system. We have also introduced multifactor authentication for extra security of our system. This means that from now on, you will receive a code by text message or email every time you log in to your account. This way, we are certain that the person logging in to your account is you.

As a precaution, you have to change your password. We have also reported the data breach to the Dutch Data Protection Authority (Dutch DPA).

Correct:

Which measures did we take?
We have updated our customer records and removed old addresses. We can therefore no longer accidentally send your post to your old address. In addition, we have contacted the person who received your letter. That person has destroyed the letter. We have also reported the data breach to the Dutch Data Protection Authority (Dutch DPA).

8. Mention a point of contact that victims can turn to if they have questions

A warning message can raise a lot of questions. That is why you should already answer as many questions as possible in your warning message. And indicate how victims can contact your organisation. Through your Data Protection Officer (DPO), for example.

Wrong:

Do you have any questions?
In case you have questions regarding this email, you can contact us.

Correct:

Do you have questions?
Contact us by:
- telephone [telephone number];
- email [email address];
- or chat: [link].