Dealing with a Security Breach - Sample Letter
Purpose of This Module
The purpose of this module is to provide information on what would be considered an appropriate response or notification of a data breach. You should not take this step without notifying your supervisor first and receiving his/her go-ahead. This information is provided as a sample of what may be done or could be done in the event of a data security breach.
Re: Stolen Confidential Data
A laptop computer in the ORGANIZATION NAME, which contained personal information for POPULATION AFFECTED, was stolen on DATE. You are receiving this notification because your name, LIST SPECIFIC INFORMATION COMPROMISED HERE were included in the stolen personal information.
The laptop held confidential information. A vehicle was broken into by unknown parties and stolen. It is believed that the perpetrator(s) was targeting the laptop computer, not the personal information it contained. The stolen computer contained information on POPULATION, including their CONFIDENTIAL INFORMATION. The confidential data files were not encrypted at the time of the theft, thus allowing unauthorized use of this data. At present, we are not aware of any misuse of information but will update you on developments in the case they occur.
We were advised that there was a reasonable probability that the crime would be solved quickly and the information recovered. However, we want to make you aware of the potential consequences. To that end, we are taking steps to prevent future incidents of this type.
1. A web site has been developed to give you online access to information at http:// .
2. Require full encryption of all personal information stored on departmental computer systems. We will also require all ORGANIZATIONS to review personal data stored on computer equipment and to remove all unessential data.
3. Conduct an immediate internal audit of how the department handles all personal information. This audit will examine the security of the systems, the policies and practices regarding access and use of such information, and the policies for ensuring that such data are gathered and/or retained only when imperative. We will also examine all procedures for processing data outside the ORGANIZATION.
Should you have any questions or concerns, please do not hesitate to make contact via email or phone at ###-####.
Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure