Data breach tracking site has hundreds of samples of real data breach notification letters to state AGs Sample letters, while a good idea, may be problematic because laws get updated Many states in the US require that clients be contacted if their personal or other sensitive data is breached by outsiders. Most states (but not all) provide safe harbor if said data was protected via data encryption. For example, if drive encryption software like AlertBoot was used on a stolen laptop, any people whose personal information were on that computer need not be notified. However, most companies engage in the "fix the barn after the horses are gone" method of encryption (that is, encryption software is usually deployed company-wide after a breach takes place). Hence, there is a real need to know how to write these letters.
Many states in the US require that clients be contacted if their personal or other sensitive data is breached by outsiders. Most states (but not all) provide safe harbor if said data was protected via data encryption. For example, if drive encryption software like AlertBoot was used on a stolen laptop, any people whose personal information were on that computer need not be notified.
However, most companies engage in the "fix the barn after the horses are gone" method of encryption (that is, encryption software is usually deployed company-wide after a breach takes place). Hence, there is a real need to know how to write these letters.
The Open Security Foundation has been compiling information on security breaches from across the world, which includes breach notification letters from corporate lawyers to state Attorneys General (which makes these missives publicly available information, depending on the state). As the OSF notes: "This is where the Primary Sources Archive can really help business of all sizes. We have samples of thousands of data breach notification letters, issued from companies big and small to various states in compliance with law."
The Open Security Foundation has been compiling information on security breaches from across the world, which includes breach notification letters from corporate lawyers to state Attorneys General (which makes these missives publicly available information, depending on the state).
As the OSF notes: "This is where the Primary Sources Archive can really help business of all sizes. We have samples of thousands of data breach notification letters, issued from companies big and small to various states in compliance with law."
The only problematic issue is that states update their laws all the time. Thus, what may have been true in the past may not be true anymore. For example, most states currently do not have any legislation stating what must be included in an information security breach notification letter. It's not unusual to find letters from one company that essentially declares "we had a breach. Your information was included. Don't worry" as well as something that is much more informative, from a different company, such as "on so-and-so date, an unencrypted laptop was stolen from the back of an employee's car yadda yadda yadaa. Do worry"...to the same state AG! This lack of consistency is a result of there not being any regulations on what should be included in data breach notices. However, states are wising up to the seedier practices. California's SB20, if it passes, would require that information security breach notices be "written in plain language." It must also include the "types of personal information...subject of a breach," "the date of the breach," "whether notification was delayed [due to] law enforcement investigation," "a general description of the breach," and other requirements. So, a person consulting the OSF database for past notification letter samples may send out the wrong sort of breach notification letter--and be in breach of the law--depending on his timing, his state, and his luck. I'd say, consult the above site, but hire a lawyer (or, rather, get your lawyer to consult the above site). And, don't forget to sign up for encryption.
The only problematic issue is that states update their laws all the time. Thus, what may have been true in the past may not be true anymore.
For example, most states currently do not have any legislation stating what must be included in an information security breach notification letter. It's not unusual to find letters from one company that essentially declares "we had a breach. Your information was included. Don't worry" as well as something that is much more informative, from a different company, such as "on so-and-so date, an unencrypted laptop was stolen from the back of an employee's car yadda yadda yadaa. Do worry"...to the same state AG!
This lack of consistency is a result of there not being any regulations on what should be included in data breach notices. However, states are wising up to the seedier practices. California's SB20, if it passes, would require that information security breach notices be "written in plain language."
It must also include the "types of personal information...subject of a breach," "the date of the breach," "whether notification was delayed [due to] law enforcement investigation," "a general description of the breach," and other requirements.
So, a person consulting the OSF database for past notification letter samples may send out the wrong sort of breach notification letter--and be in breach of the law--depending on his timing, his state, and his luck.
I'd say, consult the above site, but hire a lawyer (or, rather, get your lawyer to consult the above site). And, don't forget to sign up for encryption.
Related Articles and Sites:http://datalossdb.org/incident_highlights/34-data-breach-notification-letters