You had a breach. Now what?
Under Reg S-P, if client data was (or might’ve been) accessed without permission, and there’s a chance of harm, you have 30 days to notify every affected client.
Let’s talk about what triggers a notification, what needs to be included, and how to do it right—without scrambling under pressure.
What Triggers a Notification?
A customer notification is required if:
- Sensitive customer info (SSN, login credentials, financial data) was likely accessed
- OR the affected system contained such data, and you can’t prove it wasn’t accessed
No proof = assume the worst. That’s the SEC’s stance.
What Must Be Included in the Notification?
The SEC lays out a clear list. Your letter must include:
- Plain Language Summary of the incident
- Type of Information Involved (e.g., account number, DOB)
- Date or Date Range of the incident
- Your Contact Info (phone, email, mailing address)
- Credit Monitoring Tips (how to monitor accounts, place fraud alerts, etc.)
- Resources (FTC links, ID theft protection guides)
Tips for Smooth Notification
- Use Templates: Prepare notification templates in advance.
- Get Legal Review: Check language with legal/compliance before sending.
- Document Everything: Who was notified, when, and how.
Don’t make it up as you go. These letters are scrutinized—by clients and regulators alike.
Don't Wait Until It's Too Late
Your notification timeline starts when you discover the breach—not when the investigation wraps.
Get your plan, templates, and process in place now. Because when things go sideways, time is your most valuable resource—and so is your client’s trust.
