Customer breach notification letter template

Updated Apr 24, 2026

GDPR Article 33 + state-specific (US) breach notification letter template. Plain-English language; legal-team review required before sending. Time-critical: 72h from awareness for GDPR.

How to use

Draft within first hour of confirmed breach; legal review; send within 72h of awareness.

Template (markdown)

copy-paste, replace {{PLACEHOLDERS}}

# Breach Notification — {{COMPANY}}
**Sent:** {{DATE}} · **Reference:** INC-{{INCIDENT_ID}}

Dear {{CUSTOMER}},

We are writing to inform you of a security incident that has affected your data with {{COMPANY}}. We take full responsibility for what happened and want to give you the facts, the actions we are taking, and the steps you can take.

## What happened
On {{INCIDENT_DATE}}, we detected {{INCIDENT_DESCRIPTION_PLAIN_ENGLISH}}. We confirmed the impact on {{CONFIRMATION_DATE}}.

## What information was involved
The following data of yours was {{ACCESSED_OR_POTENTIALLY_ACCESSED_OR_TAKEN}}:
- {{DATA_CATEGORY_1}}
- {{DATA_CATEGORY_2}}

To the best of our investigation, the following data was NOT involved:
- {{NOT_INVOLVED_1}}
- {{NOT_INVOLVED_2}}

## What we are doing
- Stopped the incident: {{CONTAINMENT_DESCRIPTION}}
- Rotated affected credentials and revoked compromised access
- Engaged {{SECURITY_FIRM_OR_INTERNAL_TEAM}} for forensic review
- Reported to {{SUPERVISORY_AUTHORITY}} within the GDPR Article 33 72-hour window
- {{IF_CYBER_INSURANCE_INVOLVED}}: notified our cyber-insurance carrier; their breach coach is coordinating
- Implemented additional safeguards: {{ADDITIONAL_SAFEGUARDS}}

## What you can do
- {{CUSTOMER_ACTION_1}} (e.g., reset your password)
- {{CUSTOMER_ACTION_2}} (e.g., review recent account activity)
- {{CUSTOMER_ACTION_3}} (e.g., enable MFA if not already enabled)
- {{IF_CREDIT_MONITORING}}: we are providing complimentary credit monitoring through {{PROVIDER}} for {{DURATION}}; sign up at {{LINK}}

## Contact
Questions: {{INCIDENT_EMAIL}} or {{INCIDENT_PHONE}}
Senior contact: {{CTO_OR_CEO_NAME}}, {{ROLE}}, {{DIRECT_EMAIL}}

We are deeply sorry this happened. We will publish a detailed post-incident review at {{POST_INCIDENT_URL}} within 30 days describing the root cause + every change we are making to prevent recurrence.

Sincerely,

{{CEO_NAME}}
CEO, {{COMPANY}}
{{COMPANY_ADDRESS}}

---

**Legal references:**
- GDPR Article 33 (notification to supervisory authority within 72 hours)
- GDPR Article 34 (notification to data subject — without undue delay if high-risk)
- US state-specific notification laws (e.g., California Civil Code §1798.82)

**Auditor checklist:**
- [ ] Sent within 72h of awareness
- [ ] Legal counsel reviewed before send
- [ ] Records retained 6 years (or longer per local law)
- [ ] Supervisory authority notified
- [ ] Cyber-insurance carrier notified
- [ ] Customers given concrete actions to take