Generally, early notification to individuals whose personal information has been compromised allows them to take steps to mitigate the misuse of their information. In deciding if notification is warranted, consider the nature of the compromise, the type of information taken, the likelihood of misuse, and the potential damage arising from misuse. For example, thieves who have stolen names and Social Security numbers can use this information to cause significant damage to a victim's credit record. Individuals who are notified early can take some steps to prevent or limit any harm.
When notifying individuals, the FTC recommends that you:
Consult with your law enforcement contact about the timing of the notification so it does not impede the investigation.
Designate a contact person within your organization for releasing information. Give the contact person the latest information about the breach, your response, and how individuals should respond. Consider using letters (see sample), Web sites, and toll-free numbers as methods of communication with those whose information may have been compromised.
It is important that your notice:
Describes clearly what you know about the compromise. Include how it happened; what information was taken, and, if you know, how the thieves have used the information; and what actions you have taken already to remedy the situation. Explain how to reach the contact person in your organization. Consult with your law enforcement contact on exactly what information to include so your notice does not hamper the investigation.
Explains what responses may be appropriate for the type of information taken. For example, people whose Social Security numbers have been stolen should contact the credit bureaus to ask that fraud alerts be placed on their credit reports. See www.consumer.gov/idtheft for more complete information on appropriate follow-up after a compromise.
Includes current information about identity theft. The FTC's Web site at www.consumer.gov/idtheft has information to help individuals guard against and deal with identity theft.
Provides contact information for the law enforcement officer working on the case (as well as your case report number, if applicable) for victims to use. Be sure to alert the law enforcement officer working your case that you are sharing this contact information. Identity theft victims often can provide important information to law enforcement. Victims should request a copy of the police report and make copies for creditors who have accepted unauthorized charges. The police report is important evidence that can help absolve a victim of fraudulent debts.
Encourages those who discover that their information has been misused to file a complaint with the FTC at www.consumer.gov/idtheft or at 1-877-ID-THEFT (438-4338). Information entered into the Identity Theft Data Clearinghouse, the FTC's database, is made available to law enforcement.
