Best Practices for Notifying Affected Individuals of a Large-Scale Data Breach

In September 2015, Department of Homeland Security chief privacy officer asked the Data Privacy and Integrity Advisory Committee to provide written guidance on best practices for notifying individuals impacted by a large-scale data breach. The DHS outlined four questions for the committee to consider, this document focuses on these four questions:

  1. In the context of large-scale data breaches, what criteria should the Privacy Office consider to inform DHS’s decision of whether and when to notify the impacted individuals?
  2. Once DHS has decided to notify impacted individuals, what are best practices with respect to the source, content and delivery mechanism (e.g., mail, e-mail) for the notification?
  3. Is it possible to “over notify” by saturating affected individuals with information or bulletins?
  4. In addition to delivering the actual notification, are there best practices supporting a notification process (e.g., establishing a call center) that should he considered?

Read Now (PDF 328KB)