编写数据泄露通知模板

以下为统一口径的对外数据泄露通知与管理层简报模板（技术写作风格），用于传达事件事实、处置进展、用户指引、合规声明及后续里程碑。请根据实际审批流程和法务要求确认后发布。

对外数据泄露通知（统一口径草案）
版本：v1.0
发布日期：2025-09-24
事件编号：SEC-2025-09-23-001

一、事件摘要
- 发生时间：2025-09-23 09:15
- 事件类型：未经授权访问
- 影响范围：北区与在线平台用户
- 涉及数据量：约12,000条账号相关数据
- 受影响数据字段：姓名、邮箱、加盐哈希密码、部分交易时间
- 初步来源判定：第三方API密钥泄露导致的未授权调用和数据访问

二、处置进展
- 隔离：已隔离受影响的相关服务与接口，阻断异常访问路径
- 密钥：已重置并轮换相关第三方API密钥，收敛调用权限范围
- 认证：已开启多因素认证（MFA），提高账户保护强度
- 监控：已通知安全运营中心（SOC）持续监控，扩大日志留存与异常行为检测范围
- 取证与评估：正在进行访问日志分析与数字取证，评估数据访问的范围与持续时长

三、用户安全指引
为降低潜在风险，请受影响用户采取以下措施：
1) 立即更改平台登录密码，避免与其他网站或服务使用相同密码
2) 启用并使用MFA（短信/APP令牌等），提升账户安全性
3) 警惕钓鱼邮件与社会工程攻击：不点击可疑链接，不提供验证码或密码
4) 检查近期账户活动，如发现异常请立即联系官方客服渠道
5) 如在其他网站复用过相同或相似密码，请同步更改

客服与支持：
- 邮箱：security@yourcompany.com
- 热线：400-XXX-XXXX（工作日 9:00–18:00）
- 在线帮助中心：yourcompany.com/security-notice

四、风险说明
- 加盐哈希密码降低直接泄露的风险，但存在离线破解与凭证填充风险，尤其对重复使用密码的用户
- 邮箱与部分交易时间可能被用于精准钓鱼或社会工程
- 目前调查仍在进行中；我们持续监控，暂未发现已证实的恶意滥用证据，但不排除风险

五、合规声明
- 我们已启动适用数据保护法规的评估与通报流程，包含但不限于：中华人民共和国个人信息保护法（PIPL）、网络安全法（CSL）、数据安全法（DSL）
- 如确认涉及欧盟数据主体，我们将遵循《通用数据保护条例》（GDPR）的72小时监管机构通报要求
- 我们将按法规要求向受影响个人提供通知、风险提示与补救建议，保留相关日志与证据，配合监管部门的调查与审查

六、后续里程碑（计划）
- 2025-09-24：向受影响用户分发通知与安全指引（本通知）
- 2025-09-25：完成初步数字取证与范围界定报告，明确受影响数据与时间窗口
- 2025-09-26：启动并完成受影响账户的强制密码重置（如适用），验证MFA覆盖率≥95%
- 2025-09-27：完成第三方集成审计与API权限最小化整改，更新密钥管理与轮换策略
- 2025-09-30：出具事件根因与改进报告，提交管理层与法务；如适用，完成监管机构通报与备案
- 2025-10-15：完成安全加固项目（速率限制、行为分析、异常调用封禁、出站数据防护）并进行独立渗透与红队复测

七、致歉与承诺
我们对本次事件给您造成的不便与风险深表歉意。我们将持续改进访问控制、密钥管理与第三方集成安全，提升监测与响应能力，保护您的数据与账户安全。

管理层简报模板（供内部汇报与决策）
版本：v1.0
受众：管理层/法务/合规/业务负责人
会议时长建议：30分钟

1. 执行摘要
- 事件编号：SEC-2025-09-23-001
- 事件类型：未经授权访问，来源为第三方API密钥泄露
- 影响：北区与在线平台用户，约12,000条账号数据（姓名、邮箱、加盐哈希密码、部分交易时间）
- 当前状态：服务已隔离、密钥已重置、MFA已开启、SOC在监控；取证与范围界定进行中
- 初步风险：账户接管（凭证填充/离线破解）、钓鱼与社会工程

2. 时间线（T0为2025-09-23 09:15）
- T0：检测到异常访问行为，确认为未经授权访问
- T0+X：隔离受影响接口与服务
- T0+X：完成第三方API密钥重置与权限收敛
- T0+X：开启MFA并扩大日志留存；通知SOC进行持续监控
- T0+24h：发布对外通知草案与内部简报（本文件）

3. 技术根因与控制缺口（初步）
- 根因：第三方API密钥泄露导致的未授权调用
- 缺口候选：
  - 密钥存储与轮换策略不足（暴露面或轮换周期过长）
  - 第三方接口权限未充分最小化（缺少细粒度访问控制）
  - 异常调用速率与行为检测阈值优化空间
  - 出站数据访问与传输的策略与监控需强化

4. 处置进展（已完成/进行中）
- 已完成：服务隔离、密钥重置与权限收敛、MFA开启、SOC监控
- 进行中：取证分析（访问日志、调用指纹、异常会话）、受影响数据范围界定、用户通知分发

5. 风险评估
- 可能性：中（取决于哈希破解难度与用户密码复用情况）
- 影响面：约12,000账户基础信息与认证相关哈希值，潜在账户接管与钓鱼风险
- 残余风险：在强制密码重置完成、MFA覆盖率提升、第三方接口收敛前仍存在

6. 合规与外部沟通
- 法规框架：PIPL/CSL/DSL（中国境内）；如涉及欧盟数据主体，GDPR 72小时通报
- 外部通报：受影响个人通知（进行中）；监管机构通报（按法务判定的适用性与时限执行）
- 证据保全：日志、密钥轮换记录、变更审计、告警与响应工单

7. 决策与资源请求
- 建议决策：
  - 批准对受影响账户执行强制密码重置与登录保护策略升级
  - 批准第三方集成全面审计与合同条款更新（含密钥管理、最小化权限、事件通报义务）
  - 批准短期加固项目（速率限制/行为分析/出站数据防护）与独立安全测试预算
- 资源需求：取证工具与外部顾问支持、WAF/行为分析规则优化、秘密管理平台升级

8. 后续里程碑与度量
- 2025-09-25：初步取证与范围界定完成（输出报告）
- 2025-09-26：强制密码重置与MFA覆盖率≥95%，凭证填充防护规则上线
- 2025-09-27：第三方权限最小化与密钥管理策略更新完成
- 2025-09-30：根因与改进报告提交管理层与法务；必要的监管通报完成
- 2025-10-15：独立渗透与红队复测完成，关键缺陷整改率≥95%
- 关键指标（KPI/OKR）：
  - 用户通知送达率与阅读率
  - 异常登录与凭证填充告警趋势
  - MFA覆盖率与强制重置完成率
  - 第三方调用权限收敛比例与密钥轮换周期达标率

统一口径要点（适用于所有外部沟通）
- 时间与事实：2025-09-23 09:15发生未经授权访问；影响约12,000条账号数据；来源为第三方API密钥泄露
- 数据类型：姓名、邮箱、加盐哈希密码、部分交易时间（不扩展或缩减字段的表述）
- 已采取措施：隔离服务、重置密钥、开启MFA、通知SOC持续监控
- 用户指引：更改密码、启用MFA、警惕钓鱼、检查账号活动、联系官方支持
- 合规态度：遵循适用法规并按要求开展通报与整改

请在发布前由法务与合规团队进行审阅与批准，并在执行过程中保持上述“统一口径”一致性。

个人数据泄露通知（模板）

一、适用范围与法律依据
- 本通知模板适用于以下法律框架：
  - 欧盟通用数据保护条例（GDPR），特别是第33条（向监管机构通报）与第34条（向数据主体通报），以及第12–23条（数据主体权利）。
  - 适用的本地数据保护法规（例如：[本地法规名称及条款]）。请在发布时替换为具体法规名称与条款编号。
- 法定时限要求：
  - 监管机构通报：根据GDPR第33条，发生个人数据泄露后应在不迟于72小时内向主管监管机构通报。如超过72小时，应说明延误理由。
  - 数据主体通报：根据GDPR第34条，应“不迟延”向存在高风险的数据主体进行清晰通报。贵组织拟在72小时内同时完成对监管机构和受影响主体的首次通报。

二、致监管机构的通报（GDPR第33条）
1) 事件概述
- 事件编号：[填入事件编号]
- 事件类型：备份存储桶（对象存储）访问异常，可能构成未授权访问。
- 首次检测时间：2025-09-22（本地时区：[填入]）
- 发现途径：安全监控告警/访问日志异常[可补充具体检测源]
- 当前状态：正在进行取证与根因分析，尚无证据表明数据被批量下载或滥用（若后续发现需更新）。

2) 受影响数据类别与规模
- 数据主体类型：客户
- 估计受影响数据主体数量：约7,500人
- 涉及的个人数据类别：姓名、手机号、邮箱、订单ID
- 不涉及的敏感数据：未包含支付卡信息或身份证号（如国家ID/护照号）

3) 可能影响与风险分析
- 主要风险：定向钓鱼/社工攻击、账户接管风险（利用邮箱和手机号）、订单关联画像与隐私暴露。
- 风险等级：中等—取决于未授权访问的范围与时长；若确认大规模访问或外泄渠道，则风险上升为高。

4) 已采取的应急与补救措施
- 访问控制与隔离：立即封禁异常访问来源；临时冻结相关访问令牌/密钥；关闭存储桶公共访问与跨账户共享。
- 凭证与策略：轮换访问密钥；强制开启多因素认证；收紧存储桶策略（最小权限、IP白名单）；启用服务端加密与传输加密。
- 监控与取证：导出并保全访问日志（对象存储访问日志、身份与访问管理日志、WAF/防火墙日志）；启用异常行为检测与告警升级；开展主机与网络取证。
- 根因修复：排查备份流程与自动化任务的权限配置；审计第三方集成与跨区域复制策略；修补潜在错误配置。
- 通知与支持：准备数据主体沟通与客服支持机制；建立常见问答与风险缓解指引。

5) 数据处理生态与跨境传输
- 控制者信息：[公司全称]，[注册地址]，[数据保护官/隐私负责人姓名与联系方式]
- 受托方/处理者：[如有，请列明相关云服务商或第三方处理者]，与之签订的数据处理协议（DPA）状态：[有效/更新中]
- 国际数据传输：如涉及跨境传输，说明传输路径与合规机制（例如标准合同条款SCC、充分性决定或其他法律基础）。如不涉及，请注明“不涉及跨境数据传输”。

6) 联系方式与后续更新
- 主要联系人（DPO/隐私负责人）：[姓名]；邮箱：[contact@domain]；电话：[+xx-xxxx-xxxx]
- 我们将根据调查进展提交补充报告，包括根因、影响范围最终评估、长期整改计划与风险缓解效果。

7) 证据保全声明（面向监管与取证）
- 已执行法律保全（legal hold）：冻结与事件相关系统与日志的自动清理策略，保留时间直至监管程序及潜在司法程序结束或依法允许的期限。
- 保全范围：对象存储访问日志、身份与访问管理审计日志、网络边界设备日志、变更管理记录、相关系统镜像与快照、配置与策略版本历史、告警与工单记录。
- 保全方法：只读快照与校验（哈希）保存；建立取证链路（chain of custody）；访问最小化与双人复核；记录每次提取与查看。
- 参考流程：遵循行业事件响应与取证最佳实践（例如事件分级、证据完整性校验、变更冻结与记录化操作）。

三、致受影响数据主体的通报（GDPR第34条）
1) 我们发生了什么
- 我们于2025-09-22检测到备份存储桶存在访问异常，可能导致未授权第三方访问部分客户数据。我们已采取紧急措施并正在进行进一步调查。本次事件不涉及支付卡信息或身份证号。

2) 可能涉及您的信息
- 姓名、手机号、邮箱、订单ID
- 如需确认您的记录是否受影响，请通过下述联系方式查询，我们将在完成身份核验后提供说明。

3) 我们已采取的措施
- 关闭异常访问并强化访问控制；轮换密钥与开启多因素认证；完善日志与告警；审计并修复相关配置。
- 我们将持续监测潜在滥用迹象，并在确认更多细节后向您更新。

4) 您可以采取的保护措施
- 警惕来路不明的邮件、短信或电话，谨防索要验证码或密码的社工行为。
- 为重要账户启用多因素认证；避免重复使用密码；近期可考虑更改与该邮箱或手机号关联的常用服务密码。
- 如怀疑存在可疑联系或账户异常，请立即与我们或相关服务提供方联系。

5) 您的权利（GDPR第12–23条）
- 访问权：您可申请访问我们持有的您的个人数据及与本事件相关的信息。
- 更正权：您可请求更正不准确或不完整的个人数据。
- 删除权：在适用条件下，您可请求删除您的个人数据。
- 限制处理权：在特定情形下，您可请求限制我们对您的数据进行处理。
- 反对权：在适用条件下，您可就基于合法利益的处理提出反对。
- 数据可携权：在适用条件下，您可请求以结构化、常用、机器可读格式获得并传输您的数据。
- 撤回同意：如处理基于同意，您有权随时撤回，不影响撤回前基于同意的处理之合法性。
- 行使方式：请通过下方联系方式提出请求，我们将依法在不迟延且最晚于法定期限内答复。

6) 申诉与监管投诉渠道
- 若您认为我们的数据处理违反适用数据保护法律，您可向主管监管机构提出投诉：
  - 主管监管机构名称：[填入]
  - 网站/邮箱/电话：[填入]
  - 通讯地址：[填入]
- 在适用法律允许范围内，您也可寻求司法救济。

7) 联系我们
- 数据保护官/隐私负责人：[姓名]
- 邮箱：[privacy@domain]
- 客服电话：[+xx-xxxx-xxxx]（工作日/工作时间）
- 通讯地址：[公司地址]
- 我们将在调查有实质性更新时以不迟延的方式再次通知您。

四、保留证据与事件记录（对外一致性说明）
- 我们已对与本事件相关的系统、日志与记录采取只读化与哈希校验的保全措施，确保完整性与可追溯性。
- 建立取证链路并记录访问与操作痕迹，限制仅授权人员可查看；对所有调查变更活动进行记录化与双人复核。
- 在事件响应与合规流程结束前，不会删除或覆盖相关证据与记录，保留期限与销毁方式将遵循适用法律与内部政策。

五、后续与补充通报
- 初次通报时间：[填入]
- 后续补充通报计划：在完成根因分析与影响范围最终评估后，通过监管报告与数据主体更新通知提供细化信息，包括：
  - 事件技术根因与修复状态
  - 最终受影响数据主体与记录数
  - 风险评估更新与二次缓解措施
  - 长期整改与防护提升计划（访问控制、密钥管理、备份与加密策略、监控与演练）

六、合规声明
- 监管机构通报：本通知系遵循GDPR第33条要求，于事件知悉后不迟于72小时提交或更新。
- 数据主体通报：本通知系遵循GDPR第34条要求，对可能产生高风险影响的数据主体进行不迟延通报与风险缓解指导。
- 本地法规：我们同时遵循适用的本地数据保护法规之通报与处置要求（例如：[本地法规名称及条款]），并在必要时履行额外的登记、公告或与行业主管部门沟通义务。

七、附录（可选提供给监管机构）
- 事件时间线（检测、遏制、取证、修复的关键时间点）
- 技术指标摘要（访问源IP/ASN范围、认证方式、访问模式、对象键前缀与操作类型统计）
- 配置变更与策略审计摘要（访问策略差异、权限继承与例外清单）
- 第三方处理者与云服务参数（区域、冗余与复制策略、日志保留策略）

提醒与声明
- 本模板旨在提供符合法定要求的结构化通报文本框架。发布前请由法务与数据保护官复核并替换占位符信息，确保内容与贵组织实际情况、所属法域监管要求完全一致。

Below are structured templates for a data breach notification related to unauthorized access to a marketing email service provider account. These materials are designed for website, media, social channels, email, and customer support. They emphasize transparency, risk assessment, user guidance, and brand commitments. Replace placeholders (e.g., [Organization], [Vendor], [Contact]) before publishing.

Website Announcement (Long Form)
Title: Security Notice: Incident Involving Our Marketing Email Service
Date: 24 September 2025
Incident ID: MKT-EMAIL-2025-09-24

Summary
- On 24 September 2025, we detected unauthorized access to our third-party marketing email service provider account.
- Estimated impact: approximately 20,000 subscribers’ email addresses and associated preference tags.
- No passwords, payment information, or production systems were affected.
- Immediate actions taken: credentials reset, security auditing enabled, tokens revoked, and a joint investigation initiated with our vendor.

What Happened
On 24 September 2025, our monitoring alerted us to suspicious activity involving a vendor-managed marketing email account. A preliminary review of access logs indicates unauthorized sign-ins to the account used for managing subscriber lists and content preferences. We promptly disabled the compromised credentials, enforced multifactor authentication (MFA) on the account, enabled enhanced audit logging, and engaged the vendor’s security team for a coordinated investigation.

What Information Was Involved
- Email addresses for marketing subscribers.
- Preference tags (e.g., topics of interest, subscription segments, locale, and communication frequency).
- Not involved: passwords, payment information, government IDs, or customer support case data.
- Our production environment and transactional systems are separate and not affected by this incident based on current evidence.

Risk Assessment
- Primary risk: increased likelihood of spam or targeted phishing using subscriber email addresses and interest tags.
- No direct risk to user passwords or financial data from this incident.
- We currently have no indication of unauthorized access beyond the marketing service environment, but the investigation is ongoing.

What We Are Doing
- Credentials reset and session tokens revoked for the affected account.
- MFA enforced and privileged access reviewed for the marketing vendor account.
- Security auditing and log preservation enabled; forensic analysis underway with [Vendor].
- Strengthening third‑party access controls and least‑privilege permissions across marketing integrations.
- Reviewing message sending safeguards and domain protections to reduce email spoofing risk.
- Notifying affected individuals and, where applicable, relevant authorities in accordance with data protection laws.
- We will publish an update and a post‑incident report once the investigation concludes.

What You Can Do (Self‑Help Recommendations)
- Be vigilant for phishing: treat unsolicited emails with caution, especially those referencing your preferences or asking for credentials, codes, or payment.
- Verify communications: check sender domains, avoid clicking unknown links, and navigate to our website directly for account or preference updates.
- Report suspicious messages: forward potential phishing emails to [security@organization.com] or contact [Support Number].
- Review your subscription preferences: visit [Preference Center URL] to confirm or adjust your settings.
- General email hygiene: use strong, unique passwords on your email account, enable MFA where possible, and update spam filters.

Support and Contact
- Dedicated inbox: [privacy@organization.com]
- Hotline: [Support Number], available [Hours/Timezone]
- More information and updates: [Incident Notice URL]

Regulatory Notice
If you reside in a jurisdiction with breach notification requirements (e.g., GDPR, CPRA), we will meet applicable obligations, including notifying supervisory authorities and affected individuals where required. Contact [DPO/Privacy Office Contact] for rights requests or questions about local requirements.

Commitment to Security
We are committed to protecting your data. We are enhancing vendor controls, audit capabilities, and incident response procedures, and will share material findings and corrective actions following the investigation.

Website Announcement (Short Form/Banner)
Title: Notice: Marketing Email Data Incident
On 24 Sep 2025, our marketing email vendor account was accessed without authorization. Approximately 20,000 subscriber email addresses and preference tags were exposed. No passwords or payment information were affected. We have reset credentials, enabled security auditing, and are investigating with the vendor. Learn more and recommended steps: [Incident Notice URL]. Contact: [privacy@organization.com], [Support Number].

Media Statement / Press Release Template
Headline: [Organization] Announces Investigation into Unauthorized Access of Marketing Email Vendor Account

[City], [Date] — [Organization] detected unauthorized access on 24 September 2025 to a third‑party account used for marketing email operations. The incident affected approximately 20,000 subscribers’ email addresses and preference tags. No passwords or payment data were involved.

Upon discovery, [Organization] immediately reset credentials, enforced multifactor authentication, enabled enhanced security auditing, and initiated a joint investigation with the vendor. Current evidence indicates the incident is limited to the marketing email environment; production systems are not implicated.

“Our priority is the security and privacy of our users,” said [Title, Name]. “We are working with our provider to determine the root cause, close any gaps, and inform affected subscribers. The primary risk is targeted phishing attempts; we urge users to remain vigilant and verify messages before acting.”

[Organization] is notifying affected individuals and, where required, informing relevant authorities in accordance with data protection laws. Guidance on recognizing and reporting suspicious emails, as well as preference management, is available at [Incident Notice URL]. For questions, contact [privacy@organization.com] or [Support Number].

About [Organization]
[One‑sentence factual description.]

Media Contact
[Name, Title]
[Email, Phone]

Social Media Posts (Short)
Version 1
We detected unauthorized access to our marketing email provider on Sep 24. Approx. 20,000 subscriber emails + preference tags were exposed. No passwords/payment info affected. Steps you can take + our actions: [Incident URL]. Questions: [privacy@organization.com].

Version 2
Security notice: Marketing email vendor incident (Sep 24). Impact: ~20k emails + preference tags; no passwords or payment data. We reset credentials and are investigating with the vendor. Guidance and updates: [Incident URL]. Support: [Support Number].

Version 3 (LinkedIn-style, slightly longer)
On Sep 24, we identified unauthorized access to a third‑party marketing email account. About 20,000 subscriber emails and preference tags were exposed; no passwords or payment data were affected. We’ve reset credentials, enabled auditing, and are investigating with our vendor. Learn more, including phishing prevention tips: [Incident URL]. Contact: [privacy@organization.com].

Email Notification Templates
Audience: Impacted Marketing Subscribers
Subject Line Options
- Security Notice: Marketing Email Data Incident on 24 Sep 2025
- Important: Your Email Address May Have Been Exposed
- Action Recommended: Be Alert to Phishing Following Vendor Incident

Body
Hello [First Name],

We are writing to inform you of a security incident related to our third‑party marketing email service provider. On 24 September 2025, we detected unauthorized access to the account used to manage subscriber communications.

What information was involved:
- Your email address and associated preference tags (e.g., topics of interest).
- No passwords, payment information, or production account data were involved.

Estimated impact: approximately 20,000 subscribers.

What we have done:
- Reset credentials and revoked active sessions.
- Enforced multifactor authentication and enabled enhanced audit logging.
- Initiated a joint investigation with our vendor to determine root cause and scope.
- Reviewing third‑party access controls to prevent recurrence.

What you can do:
- Be vigilant for phishing. Do not share passwords, codes, or payment details via email.
- Verify messages are from [organization domain]; navigate directly to our website rather than using email links.
- Report suspicious emails to [security@organization.com].
- Review your preferences at [Preference Center URL].

We will provide updates at [Incident Notice URL]. If you have questions or wish to exercise privacy rights, contact [privacy@organization.com] or [Support Number]. If you reside in [Jurisdiction], we have notified [Supervisory Authority] as required.

Thank you for your attention to this matter.

Sincerely,
[Name], [Title]
[Organization]
[Contact Details]

Audience: General Customers/Stakeholders (Non‑Subscribers)
Subject Line Options
- Notice: Vendor Incident Affecting Marketing Email Data
- Security Update from [Organization]

Body
Hello,

On 24 September 2025, we detected unauthorized access to a third‑party marketing email account. Approximately 20,000 subscriber email addresses and preference tags were exposed. No passwords, payment information, or production systems were affected.

We have reset credentials, enabled security auditing, and are conducting a joint investigation with the vendor. The principal risk is targeted phishing to exposed email addresses. Guidance on recognizing and reporting suspicious emails is available at [Incident Notice URL]. For questions, contact [privacy@organization.com] or [Support Number].

Regards,
[Organization Security/Privacy Team]

Customer Support Script and FAQs
Opening
- Thank you for contacting [Organization]. We can provide details about the marketing email vendor incident identified on 24 Sep 2025. How can we assist you today?

Key Facts (Talking Points)
- Unauthorized access to our marketing email service provider account on 24 Sep 2025.
- Approx. 20,000 subscriber email addresses and preference tags exposed.
- No passwords or payment information were affected.
- Credentials were reset; MFA and audit logging enabled; investigation ongoing with vendor.
- Primary risk: phishing or spam targeting exposed email addresses.

Do’s
- Direct users to the incident page: [Incident Notice URL].
- Encourage reporting of suspicious messages to [security@organization.com].
- Help users review their subscription preferences at [Preference Center URL].
- Escalate complex or legal rights questions to [privacy@organization.com]/[DPO Contact].

Don’ts
- Do not speculate on attacker identity, method, or unverified impact.
- Do not promise compensation or remedies beyond approved policy.
- Do not confirm an individual’s inclusion on the impacted list unless identity verification is completed per policy.

Common Questions and Responses
Q: Was my password or payment info exposed?
A: No. The incident involved a marketing email account and affected email addresses and preference tags only. Passwords and payment data were not involved.

Q: What should I watch out for?
A: Be alert for phishing or unsolicited emails, especially those referencing your interests. Verify sender domains, avoid clicking unknown links, and do not share credentials or codes.

Q: Are your main systems affected?
A: Current evidence indicates the incident is limited to the marketing email environment. Our production systems remain unaffected.

Q: How will I receive updates?
A: We will post updates at [Incident Notice URL]. You may also contact [privacy@organization.com] or [Support Number].

Q: Can you remove my data from marketing lists?
A: Yes. Visit [Preference Center URL] or we can process your request after identity verification. We support unsubscribe and applicable rights requests.

Q: Have you notified authorities?
A: We comply with applicable laws. Where required (e.g., GDPR/CPRA), we notify supervisory authorities and affected individuals. Our privacy team can provide jurisdiction‑specific details.

Operational Notes for Agents
- Verify identity before discussing specific subscriber records.
- Log the inquiry under Incident ID MKT-EMAIL-2025-09-24.
- Escalate indicators of active phishing campaigns to the security team immediately.

Optional Compliance Addendum (Internal Use / Regulator-Facing)
- Incident discovery date/time: 2025‑09‑24 [UTC/local time].
- Data elements: email addresses; preference tags (non-sensitive marketing metadata).
- Estimated volume: ~20,000 records.
- Affected system: [Vendor name], marketing email account.
- Containment: credential reset, token revocation, MFA enforcement, audit logging activated, vendor engaged.
- Notifications: draft templates prepared for individuals; regulator notifications to be filed per [jurisdiction] within statutory timelines (e.g., GDPR Art. 33 within 72 hours, CPRA “without unreasonable delay”).
- Post‑incident actions: review access controls, least privilege, third‑party risk assessment, incident report publication timeline.

These templates are designed to be precise and consistent across channels, support user self‑help, and align with common regulatory expectations. Adjust placeholders and local requirements before use.