An article by Bradley Barth raises a number of good points for entities to consider — BEFORE they ever need to send breach notification emails.
And not only does the article describe considerations for entities/senders, but the article also provides some tips for recipients of notification emails:
…the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) last week released best practices recommendations for sender organizations on securely delivering mandated emails. Additionally, the organization shared with SC Media additional recommendations for recipients of these emails.
Read the article on SCMagazine. I found myself thinking about things we’ve seen entities do — like creating a new domain to post breach information on, but as M3AAWG points out, a new domain has no reputation and recipients of any email may therefore trust the email less. So what should senders do? And what should recipients do? Read the article for some thoughtful consideration.