I just received a notice of a data security incident and wanted to rate it for you against a set of criteria so you can improve your notice writing.
- The Introduction should explain the purpose of the notice, assess the importance of data security to you, and give you a brief overview of the incident. Rating: A. Each item is covered.
- The Incident Description must state the date, time, and timespan of the incident, the nature of the incident (e.g., data breach, unauthorized access), how the incident was discovered, and the scope of the incident (e.g., types of data compromised, number of affected individuals). Rating: C. It took a paragraph to get to the date, time, and timespan and three paragraphs to get to the scope and the fact that I was affected.
- The Actions Taken section must outline the immediate steps taken to mitigate the incident, the investigation process, and steps taken to prevent future incidents. Rating: C. There is no mention of steps taken to prevent future incidents to restore confidence.
- The Impact Assessment section must outline the potential impact and consequences on affected individuals and measures taken to assist affected individuals. Rating: C. While there is a mention of things they have done in the past prior to the breach, there is no mention of anything new they have done or intend to do to prevent or better handle a similar incident.
- The Contact Details For Inquiries or Concerns section must include the channel (e.g., email, letter, chat) and timeline of availability to pose inquiries or concerns. Rating: A. All required information is provided, including information that must be provided on contact, i.e., the reference number.
- The What You Can Do section must include steps affected individuals can take to protect themselves (e.g., changing passwords, monitoring credit) and resources for additional assistance (e.g., credit monitoring services). Rating: C. All the requisite information was included; however, instead of a QR code to take immediate action, a long URL and a long number to type in were included, making it harder to take immediate action.
- The Demonstration of Regulatory Compliance section must show proof of compliance with relevant data protection laws and regulations, including proof of required incident notification to regulatory bodies or authorities. Rating: F. No information included.
- The Apology and Assurance section must include an apology for the inconvenience caused and a reassurance of commitment to data security and privacy. Score: D. Apology was upfront but not at the end, and no reassurance of commitment to data security and privacy was reiterated.
- The Conclusion section should recap key points and include closing remarks. Score: F. Missing.
- There should be Attachments or Links to Additional Incident-Related Documents or Resources (e.g., FAQs, the incident report). Rating: F. Missing.
Get CCC training and certification today to learn about this and other best practices for handling critical situations. Contact Acceleres today for coaching on how to tailor your notice templates to ensure you include clarity, completeness, and a demonstration of transparency and empathy that you will need to land your message and rebuild trust when a data security incident strikes you.
#cccfoundation #criticalsituationhandling
