How to communicate with affected users or clients?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

When an email security incident affects users or clients, the communication you send is itself a trust signal. Get it right and you preserve the relationship. Get it wrong and you compound the damage.

Speed matters but not at the expense of accuracy. Sending a hasty notification that turns out to be wrong is worse than a brief delay to confirm scope. The threshold: if you have enough information to tell users what happened and what they should do, send it. If you're still investigating, send an acknowledgment that something happened and you're working on it. Silence is worse than incomplete information in most cases.

What the notification must contain: what happened (in plain language, not security jargon), what data or accounts may have been affected, what you've done to stop or contain it, and what specific actions the recipient should take. The last one is the most important and most often missing. "We experienced a security incident" is useless. "We experienced a security incident. Your account password was potentially exposed. Log in and change your password now at [link]." is helpful.

Tone matters: direct but not panicked. You're informing people of something they need to act on, not terrifying them. Avoid minimizing language ("minor incident," "precautionary measure") when the risk is real. Affected users can tell when they're being managed rather than helped, and it erodes trust faster than the incident itself did.

Channel choice: use a trusted channel that the affected users recognize. If the incident involved compromised email, send via a different verified channel (SMS, postal mail, in-app notification) and explain why. Don't use the compromised channel to notify people that it's compromised.

For regulatory notifications (GDPR breach notifications, state breach notification laws), the timeline and content requirements are legally specified. Those run in parallel with user communication and have their own compliance track.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me draft the incident notification

We've had a security incident affecting some of our users' email accounts and need to notify them. Here's our situation: - What happened: describe briefly - How many users are affected: estimate - What data or access was potentially exposed: describe - Whether the incident is fully contained: yes / no / ongoing - Our communication channels available: email / SMS / in-app / other - Whether we have GDPR or breach notification obligations: yes / no / not sure Help me draft the user notification, prioritize the communication steps, and flag any regulatory obligations I might have.

Edit the yellow boxes, then send to the AI of your choice.