How to Effectively Notify Customers About a Data Breach

What once was an occasional security nightmare has become more frequent than many of us would like to admit. According to Identity Theft Resource Center, in 2018 alone there were 1,244 reported data breaches and 446,515,334 exposed records. Although it’s never a company’s intention to have its database breached, the regularity of these occurrences should give publishers and marketers pause and motivate us to consider how we would react if our brand was targeted.

As a publisher, you’ve worked tirelessly to ensure your email program and newsletters are the best they can be, following all best practice recommendations to gain your subscribers’ trust and ultimately build brand loyalty. Sending an email notifying your customers that they’ve been betrayed is daunting, and all parties involved would agree that data breaches in general are already stressful enough.

In addition, when these breaches do occur there are oftentimes feelings of shame and reluctance to notify impacted subscribers, which places the email notification lower on the list of priorities. Even a root canal sounds more enjoyable than sending a data breach notification email to subscribers! Unfortunately, it would be an even bigger misstep to avoid the opportunity to reach out to customers during this critical time. Optimize this opportunity to demonstrate that your customer is your highest priority and that your company is working tirelessly to resolve the situation.

After analyzing a number of data breach notification emails, below is a list of the do’s and don’ts from a customer experience standpoint. Following these best practices will ensure the best experience possible (given the situation) in order to restore your customers’ trust. Keep in mind that you will most likely have to send to your entire subscriber list, so be sure to check out these tips from Return Path on how to send to an older list.

Note, if your company does experience a breach, your first resource should be your lawyer. While the tips below can help improve subscriber perception, they are no substitute for legal advice.

What to Do When Sending a Data Breach Notification to Customers

  • Read the virtual room. This step often can be overlooked, but is important in recognizing what the appropriate sentiment of your email should be. At this point, customers may feel betrayed, vulnerable and suspicious. They trusted you with their information, and now that information has been exposed. While keeping a serious, calm tone is important (to avoid mass panic), also remember to be sincere, apologetic and helpful.
  • Keep it in layman’s terms. Remember that your subscribers are not lawyers. An analysis by Atlassian shows the importance of using plain English when discussing the situation. A data breach is scary enough without having to read an email that makes absolutely no sense to the average recipient. While some legal jargon might be unavoidable, try to keep the language as clear and simple as possible.
  • Provide as much information as possible. If your data breach is part of an ongoing investigation, providing the full story to customers is nearly impossible. With that said, some type of information is warranted from your customers’ standpoint since it’s their information that was exposed. In any case, try to provide the 5 W’s: Who, What, Where, When, Why (or How).
  • Include headlines for each topic. This email is probably going to be very long and very text heavy. During times of panic, most subscribers are likely to skim the email to get a general idea of what is going on. Make skimming easier for them by using bolded headlines that concentrate the subscriber’s attention to the key elements that matter to them the most.
  • Provide recommended next steps. If you are aware of the information that is exposed (such as credit card information, address, etc.), be sure to include next steps on what customers can do to protect themselves so they don’t feel like you’ve left them high and dry.
    • Companies like British Airways recommended customers to contact their bank or credit card companies, and even offered a 12-month membership to Experian ProtectMyID (and provided sign-up instructions directly in the email).

What NOT to Do When Sending a Data Breach Notification to Customers

  • Probably not a good time to use humor. Unlike an “oops” email you send to subscribers when you’ve accidentally sent the wrong email and there are no real consequences to the subscriber, data breaches can have a major impact on the subscriber’s actual life. Using humor can imply that you aren’t taking the situation seriously and rub customers the wrong way.
  • Lack of brand recognition. Your customers are in an extremely vulnerable state, which means their suspicions are going to be naturally elevated. Make sure that the branding of your email is easily recognizable, and that the friendly from line, as well as the sending domain, align with the rest of your emails.
  • Personalization is not key. While personalization drives increased engagement for all other mail streams, a breach notification email is not the appropriate time or place. Subscribers already feel exposed, and using personalized content can indicate to subscribers that you don’t take privacy seriously by continuing to use personal information in the email. For these emails specifically, use “Valued Guest” or “Customer” rather than first name personalization.
  • Try to avoid using links within the email. Similar to the point above, you are notifying subscribers that their information is compromised. The likelihood that they are going to click on the links within the email is pretty minimal. Try to avoid using links within the email, and definitely don’t use link shorteners.
  • Use sending domains that are hosted by the brand, not a third party service. Learn from those who have endured this before you, and some of the mistakes they’ve made. For example, according to a recent TechCrunch article, Marriott used a third-party maintained domain to deploy password update request emails. While this is OK during non-emergency periods, sending from this domain for data breach notifications raised even more suspicion, especially because the domain didn’t have an identifying HTTPS certificate.

In the world we live in today, data breaches seem unavoidable. As daunting as the overall situation is, sending a notification email becomes one of the most critical steps to mitigate further damage and regain customer trust. This email will now and forever be ingrained as a part of a subscriber’s experience with a company, and should not be taken lightly.


As an associate email strategist on Return Path’s Professional Services team, Tori Garcia thrives on building relationships between the brand and consumer by helping brands creatively optimize their email program. After starting her professional career as a data analyst, Tori transitioned to the world of email marketing where she has focused on improving overall deliverability and ROI for clients from various industries including B2B, travel, and finance.


{"taxonomy":"","sortby":"","label":"","shouldShow":""}