Delivering Email Post-Data Breach: 4 Tips for Avoiding the Impact

A quick Google search of “what to do after a data breach” yields specific instructions for affected consumers (determine what was stolen, change affected passwords, contact financial institutions, sign up for a credit-monitoring service, etc.), but for the brand that caused the breach, next steps are usually a bit more complicated.

Oftentimes, the very first thing on the to-do list is to reach out to all customers via email, informing them their personal information was potentially compromised. The FTC requires this action so individuals affected can take steps to reduce the chance their information will be misused. For brands like Marriott and Coffee Meets Bagel, both of whom recently experienced breaches, this sort of large-scale email outreach has the potential to tarnish an already damaged reputation.

IBM’s “2018 Cost of a Data Breach Study” reports the average cost of a data breach is up from 2017 by more than 6 percent, to a total of $3.86 million. Taking into consideration that cost, alongside the already-negative impact of a data breach in loss of customers and brand trust, it’s important brands take immediate action to avoid a data breach altogether, and look for small wins, such as protecting email deliverability.

Tip 1: Send a heads-up to mailbox providers and blacklists

Sending a data breach notification message out to your entire email list, inclusive of unresponsive and inactive emails, will absolutely negatively impact a sender’s reputation. Through inactivity, those emails addresses indicated they are no longer interested in receiving a brand’s content. If you send them an “unwanted” message, mailbox providers (MBPs) will take note. Work with your ESP’s team to notify the email community of the data breach alert you are about to send. They might have an alternate IP you can access. The intention is to proactively help MBPs understand why there might be an increase in undeliverable email and users marking your messages as spam.

Tip 2: Make sure your emails are easily recognized

It’s important your brand maintains a high level of consistency during this time. After a data breach, customers are on high alert, and you don’t want them marking your email as spam because you decided to change the “friendly from” address to an individual’s name to make the message seem more personal. This sort of action might actually cause a consumer to not recognize the brand and ignore the email altogether. You should also consider using a subdomain of the organization ( instead of a cousin domain (, to send all messages. Last but not least, make sure to include the notification email address in your public FAQ document. Use messaging along these lines: “If you have been impacted by this data breach, you will receive a notification from 250ok <>.”

Tip 3: Review all authentication records

Due to the large amount of sending you’re about to do, now is not the time for a missing SPF or DKIM record. Double-checking these records on your DNS should be simple, especially if you are using a brand-specific sub domain for your ESP. Make sure your SPF is set to a ~all or -all, and your DKIM keys are correctly configured. If those are good to go, the next step is DMARC. Set your DMARC records to a p=quarantine or p=reject to stop copycat notifications using your brand.

Tip 4: Follow data minimization best practices

If you have already been impacted by a data breach, this tip requires a time machine. But, it’s never too late to start following data minimization best practices. Be smart about what data your company needs and more importantly, what data it doesn’t need.

  • Don’t save unnecessary data: Do you need the data to complete the job? If not, don’t save it!
  • Encryption, encryption, encryption: Should I say it again? Encryption costs more in the short-term, but will save you big bucks in the long run (remember how data breaches cost on average almost $4 million?).
  • Set time limits: Unfortunately, there are no clear-cut guidelines on how long you should keep consumer data. Regularly review the data you store and consider how often you use it. Set internal policies surrounding the age of the data you require and determine after what length of time it should be deleted or anonymized.
  • Prepare for employee turnover: According to an Osterman Research survey of IT and HR decision-makers, 69 percent of companies suffered significant data loss resulting from employees who left. When employees leave, data access is often unaddressed , allowing hackers to take advantage. Know what data permissions your employees have and revoke them when they leave.

Bonus tip: Before you send out that data breach notification email, run your list through a list validation tool to clean out the bad addresses. If you have alternative addresses for users whose emails come back invalid, such as a mailing address, send them a letter instead.

Let’s face it. You’re not going to be able to avoid any and all negative impact on your deliverability. Regardless of how cautious you are with your email distribution, you’re going to hit some spam traps and you’re going to have some undeliverable emails. But with these tips, you can minimize the negative impact the breach has on your reputation in the long-term.

Featured eBook
A Simple Guide to Successful Penetration Testing

A Simple Guide to Successful Penetration Testing

How effective are your existing security controls against a skilled adversary? Discover the answer with penetration testing. The main difference between a penetration test and an attacker is permission. A hacker won’t ask for permission when trying to expose your critical systems and assets, so pen test to protect. A pen test is not just ... Read More
Core Security
Matthew Vernhout

Matthew Vernhout

Matthew Vernhout is a digital messaging industry veteran and Certified International Privacy Professional (Canada) (CIPP/C) with nearly two decades of experience in email marketing. Matthew is 250ok’s Director of Privacy, and he is currently the Vice Chair of the eec, after serving for several years as the Chair of their Advocacy Subcommittee.

matthew-vernhout has 1 posts and counting.See all posts by matthew-vernhout