An Honest Post-Breach Letter Template

To Our Hacked Customers:

Our team at <insert company> tried to secure its computer systems behind an old-fashioned perimeter, and the result is that hackers penetrated and persisted in our network for <insert months> and stole the <insert things stolen> you trusted us to protect. We are just letting you know now, because it took our lawyers <insert weeks> to come up with a believable story that would mostly blame <insert hackers, nation-states, or third-parties>.

The good news is that our incident is of no consequence to you, because your <insert things stolen> have already been compromised dozens of times by others including <insert names of prior companies and agencies hacked>. This point will be made by our massive team of lawyers during any future class action suit to prove that no real harm has been done. So don't waste your time.

Additional good news for our investors is that we bought <insert amount> worth of cyber insurance, and we have done a stellar job successfully completing the pages and pages of paperwork for our <insert list of compliances>. We will just keep our heads down until this little incident blows over, which it will. Our stock price will be back to normal in <insert weeks>.

I should tell you that I fired our CISO, who I met for the first time during this incident. I am told that this is the <insert second, third, or fourth> executive to hold this position in the past <insert one, two, or three> years. My board is pleased that I took this bold firing action, and they should know, because they received a brief talk on cyber hygiene at our last retreat. So, they are experts.

You should visit our flashy response website that we set up with enough added security to make it nearly impossible to get to the mostly useless information we included. You might also consider accepting our offer of <insert one, two, or three> years of identity protection, because it will limit our liability for future class action suits. It’s all explained in the fine print, which we know you will not read.

My advice is that you should just forget about this little incident. I know I will. I mean, there are so many more serious issues in our world that deserve your complete and undivided attention such as <insert North Korea, global warming, or high tuition costs>. The last thing you should be worried about is another compromise of <insert things stolen> that have already been ripped off before by others.

We are certain that our team will cause another incident in the future, so please just use this same letter in advance of that inevitable <insert type of breach>. Until then, let’s just forget about this little misunderstanding so that you can get back to your normal life. Deal?


<Insert Name of Honest CEO>