Notify Appropriate Parties

Notify Appropriate Parties

Notify Appropriate Parties

When your business experiences a data breach, notify law enforcement, other affected businesses, and affected individuals.

Determine your legal requirements.

Most states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply to your situation. Check state and federal laws or regulations for any specific requirements for your business.

Notify Law Enforcement

Call your local police department immediately. Report your situation and the potential risk for identity theft. The sooner law enforcement learns about the theft, the more effective they can be. If your local police aren’t familiar with investigating information compromises, contact the local office of the FBI or the U.S. Secret Service. For incidents involving mail theft, contact the U.S. Postal Inspection Service.

Did the breach involve electronic health information?

Then check if you’re covered by the Health Breach Notification Rule. If so, you must notify the FTC and in some cases, the media. Complying with the FTC’s Health Breach Notification Rule explains who you must notify, and when.

Also, check if you’re covered by the HIPAA Breach Notification Rule. If so, you must notify the Secretary of the U.S. Department of Health and Human Services (HHS) and in some cases, the media. HHS’s Breach Notification Rule explains who you must notify, and when.

Health Breach Resources HIPAA Breach Notification Rule: hhs.gov/hipaa/for-professionals/breach-notification
HHS HIPAA Breach Notification Form: hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting
Complying with the FTC’s Health Breach Notification Rule: ftc.gov/healthbreachnotificationrule

Notify Affected Businesses

If account access information—say, credit card or bank account numbers—has been stolen from you, but you don’t maintain the accounts, notify the institution that does so it can monitor the accounts for fraudulent activity.

If you collect or store personal information on behalf of other businesses, notify them of the data breach.

If names and Social Security numbers have been stolen, contact the major credit bureaus for additional information or advice. If the compromise may involve a large group of people, advise the credit bureaus if you are recommending that people request fraud alerts and credit freezes for their files.

Equifax: equifax.com or 1-800-685-1111

Experian: experian.com or 1-888-397-3742

TransUnion: transunion.com or 1-888-909-8872

Notify Individuals

If you quickly notify people that their personal information has been compromised, they can take steps to reduce the chance that their information will be misused. In deciding who to notify, and how, consider:

state laws
the nature of the compromise
the type of information taken
the likelihood of misuse
the potential damage if the information is misused

For example, thieves who have stolen names and Social Security numbers can use that information not only to sign up for new accounts in the victim’s name but also to commit tax identity theft. People who are notified early can take steps to limit the damage.

When notifying individuals, the FTC recommends you:

consult with your law enforcement contact about the timing of the notification so it doesn’t impede the investigation.
designate a point person within your organization for releasing information. Give the contact person the latest information about the breach, your response, and how individuals should respond. Consider using letters (see sample on page 10), websites, and toll-free numbers to communicate with people whose information may have been compromised. If you don’t have contact information for all of the affected individuals, you can build an extensive public relations campaign into your communications plan, including press releases or other news media notification.
consider offering at least a year of free credit monitoring or other support such as identity theft protection or identity restoration services, particularly if financial information or Social Security numbers were exposed. When such information is exposed, thieves may use it to open new accounts.

Most states have breach notification laws that tell you what information you must, or must not, provide in your breach notice. In general, unless your state law says otherwise, you’ll want to:

clearly describe what you know about the compromise. Include:
- how it happened
- what information was taken
- how the thieves have used the information (if you know)
- what actions you have taken to remedy the situation
- what actions you are taking to protect individuals, such as offering free credit monitoring services
- how to reach the relevant contacts in your organization

Consult with your law enforcement contact about what information to include so your notice doesn’t hamper the investigation.

Tell people what steps they can take, given the type of information exposed, and provide relevant contact information. For example, people whose Social Security numbers have been stolen should contact the credit bureaus to ask that fraud alerts or credit freezes be placed on their credit reports and contact the IRS Identity Protection Specialized Unit at 1-800-908-4490. See IdentityTheft.gov/databreach for information on appropriate follow-up steps after a compromise, depending on the type of personal information that was exposed. Consider adding this information as an attachment to your breach notification letter, as we’ve done in the model letter on page 10.
Include current information about how to recover from identity theft. For a list of recovery steps, refer consumers to IdentityTheft.gov.
Consider providing information about the law enforcement agency working on the case, if the law enforcement agency agrees that would help. Identity theft victims often can provide important information to law enforcement.
Encourage people who discover that their information has been misused to file a complaint with the FTC, using IdentityTheft.gov. This information is entered into the Consumer Sentinel Network, a secure, online database available to civil and criminal law enforcement agencies.
Describe how you’ll contact consumers in the future. For example, if you’ll only contact consumers by mail, then say so. If you won’t ever call them about the breach, then let them know. This information may help victims avoid phishing scams tied to the breach, while also helping to protect your company’s reputation. Some organizations tell consumers that updates will be posted on their website. This gives consumers a place they can go at any time to see the latest information.

Model Letter

The following letter is a model for notifying people whose names and Social Security numbers have been stolen. When Social Security numbers have been stolen, it’s important to advise people to place a free fraud alert on their credit reports. A fraud alert may hinder identity thieves from getting credit with stolen information because it’s a signal to creditors to contact the consumer before opening new accounts or changing existing accounts.

Also, advise consumers to consider placing a credit freeze on their file.

[Name of Company/Logo] Date: [Insert Date]
NOTICE OF DATA BREACHi
Dear [Insert Name]: We are contacting you about a data breach that has occurred at [insert Company Name].
What Happened? [Describe how the data breach happened, the date of the breach, and how the stolen information has been misused (if you know)].
What Information Was Involved? This incident involved your [describe the type of personal information that may have been exposed due to the breach].
What We Are Doing [Describe how you are responding to the data breach, including: what actions you’ve taken to remedy the situation; what steps you are taking to protect individuals whose information has been breached; and what services you are offering (like credit monitoring or identity theft restoration services).]
What You Can Do We recommend that you place a fraud alert on your credit file. A fraud alert tells creditors to contact you before they open any new accounts or change your existing accounts. Call any one of the three major credit bureaus. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts. The initial fraud alert stays on your credit report for one year. You can renew it after one year.
Equifax: equifax.com or 1-800-685-1111
Experian: experian.com or 1-888-397-3742
TransUnion: transunion.com or 1-888-909-8872
Request that all three credit reports be sent to you, free of charge, for your review. Even if you do not find any suspicious activity on your initial credit reports, the Federal Trade Commission (FTC) recommends that you check your credit reports periodically. Thieves may hold stolen information to use at different times. Checking your credit reports periodically can help you spot problems and address them quickly.
If your personal information has been misused, visit the FTC’s site at IdentityTheft.gov to get recovery steps and to file an identity theft complaint. Your complaint will be added to the FTC’s Consumer Sentinel Network, where it will be accessible to law enforcers for their investigations.
You also may want to consider contacting the major credit bureaus at the telephone numbers above to place a free credit freeze on your credit file. A credit freeze means potential creditors cannot get your credit report. That makes it less likely that an identify thief can open new accounts in your name.
We have enclosed a copy of Identity Theft: A Recovery Plan, a comprehensive guide from the FTC to help you guard against and deal with identity theft. We’ve also attached information from IdentityTheft.gov about steps you can take to help protect yourself from identity theft, depending on the type of information exposed.
Other Important Information
[Insert other important information here.]
For More Information Call [telephone number] or go to [Internet website]. [State how additional information or updates will be shared/or where they will be posted.]
[Insert Closing] [Your Name]

Consider attaching the relevant section from IdentityTheft.gov, based on the type of information exposed in the breach. This is for a data breach involving Social Security numbers. There is similar information about other types of personal information.

Optional Attachment

FEDERAL TRADE COMMISSION IdentityTheft.gov

What information was lost or exposed?

Social Security number

☐ If a company responsible for exposing your information offers you free credit monitoring, take advantage of it.
☐ Get your free credit reports from annualcreditreport.com. Check for any accounts or charges you don’t recognize.
☐ Consider placing a credit freeze. A credit freeze makes it harder for someone to open a new account in your name.
- If you place a freeze, be ready to take a few extra steps the next time you apply for a new credit card or cell phone —or any service that requires a credit check.
- If you decide not to place a credit freeze, at least consider placing a fraud alert.
☐ Try to file your taxes early — before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS.
☐ Don’t believe anyone who calls and says you’ll be arrested unless you pay for taxes or debt — even if they have part or all of your Social Security number, or they say they’re from the IRS.
☐ Continue to check your credit reports at annualcreditreport.com. You can order a free report from each of the three credit reporting companies once a year.