How to Write a Data Breach Notification Email in English
Learn the English vocabulary and structure for notifying affected users and regulators about a data breach — accurate, legally careful, and honest without causing unnecessary panic.
A data breach notification carries legal weight, not just reputational stakes — the wording can affect regulatory compliance and even legal liability. This isn’t a place for marketing language or vague reassurance; it needs to be precise about what happened, what data was involved, and what the recipient should actually do.
Key Vocabulary
Scope of the breach — the precise boundary of what was and wasn’t affected, stated explicitly to avoid both understating risk and causing unnecessary alarm about data that was never actually exposed. “The scope of this breach is limited to email addresses and hashed passwords for accounts created before March 2024 — payment information and unhashed credentials were not part of the exposed dataset.”
Data categories affected — the specific types of personal data involved, listed explicitly rather than summarized vaguely, since regulators and affected users both need to know precisely what to act on. “The data categories affected are: full name, email address, and shipping address. Social security numbers, payment card details, and passwords were stored in a separate system that was not accessed.”
Containment status — a statement of whether the vulnerability that caused the breach has been closed, which is one of the first questions any recipient or regulator will have and needs to be answered directly, not implied. “The vulnerability that allowed this access has been fully patched as of 14:32 UTC on July 3rd. We’ve also rotated all credentials that could have been affected by this exposure.”
Recommended action — the specific, actionable steps you’re asking the recipient to take, stated as concrete instructions rather than general advice, since vague guidance leaves people either doing nothing or overreacting. “We recommend you reset your password using the link below, and enable two-factor authentication if you haven’t already. No other action is required at this time.”
Common Phrases
- “We are writing to inform you of a security incident that may have affected your account.”
- “The scope of this incident is limited to [specific data], and we can confirm that [specific data] was not affected.”
- “As of [date and time], the vulnerability responsible for this incident has been fully contained.”
- “We recommend the following steps: [specific, numbered actions].”
- “We take full responsibility for this incident and are committed to [specific concrete commitment, not a vague promise].”
Example Sentences
Opening a breach notification honestly and without evasive language: “On July 2nd, we discovered unauthorized access to a database containing customer account information. We are writing to inform you directly, as your account was among those affected.”
Stating scope precisely to avoid over- or under-stating risk: “To be specific about what was and wasn’t exposed: names and email addresses were accessed. Passwords remained encrypted throughout and were not compromised, and no payment information is stored on our systems at all.”
Closing with concrete next steps: “We recommend resetting your password as a precaution, even though your password itself was not exposed. You do not need to take any other action, and we will update this notice if our investigation reveals anything additional.”
Professional Tips
- State the scope of the breach as precisely as your investigation currently supports — don’t round up to sound thorough or round down to sound reassuring; both erode trust the moment the full picture becomes known.
- List data categories affected explicitly, item by item, rather than as a general phrase like “personal information” — regulators specifically require this level of specificity, and vague language reads as evasive to recipients.
- Always include a containment status with a timestamp — “we’re looking into it” leaves the reader wondering if they’re still at risk right now, while a specific containment time answers that directly.
- Give a short, specific recommended action list, capped at what’s genuinely necessary — burying a real action item (like resetting a password) in a long paragraph of reassurance means many recipients will miss it.
- Have legal or compliance review the notification before sending, especially language around fault or liability — this is one of the few blog-post-teachable email types where wording genuinely has downstream legal consequences beyond tone.
Practice Exercise
- Write an opening sentence for a breach notification that is honest without being alarmist.
- Draft a scope statement distinguishing data that was exposed from data that was not.
- Write a two-item recommended action list for affected users.