Receipts / Learn / How to document a data breach notification

How to document a data breach notification

You receive a letter or email informing you that your personal information was exposed in a data breach. Maybe it's from a company you do business with, a healthcare provider, or an employer. The notice tells you what happened, what data was affected, and what the company is offering - usually credit monitoring. Most people read the notice, feel uneasy, and do nothing else.

That gap between receiving the notice and taking no documented action can become costly. If the breach leads to identity theft, fraudulent accounts, or financial harm months or years later, your ability to connect that harm to the breach depends on the records you kept when the notification arrived.

Save the original notification

The breach notification itself is your first and most important document. Save the complete, unaltered original.

If it arrived by postal mail, scan or photograph every page, front and back, including the envelope with the postmark. Store the physical letter in a safe place and the digital copy in a folder you can access later.

If it arrived by email, save the complete email including headers. Forward it to yourself or export it as a PDF. Don't rely on the email remaining in your inbox - providers may delete old messages, and you may change email accounts.

Key details to note from the notification:

  • Date you received it. Not the date of the breach or the date of the letter - when it reached you. This matters for statute of limitations calculations.
  • What data was exposed. Names, Social Security numbers, dates of birth, financial account numbers, medical information, login credentials. The type of data determines your risk profile.
  • The date range of the breach. When the unauthorized access began and when it was discovered. This helps establish a timeline if unauthorized activity appears on your accounts.
  • What remediation is offered. Credit monitoring, identity theft protection, a dedicated phone line, a specific website for affected individuals.
  • Deadlines. Enrollment deadlines for free credit monitoring, deadlines to file claims, or time limits for any offered compensation.

Enroll in offered services and document the enrollment

If the breach notification offers free credit monitoring or identity protection, enroll and document that you did so. Save the confirmation email, the enrollment date, and your login credentials for the monitoring service.

Take a screenshot of the enrollment confirmation page. Some companies use third-party monitoring services that may change their platforms, and having proof that you enrolled through the breach program can matter if you need to file a claim later.

Set a calendar reminder for when the free monitoring period expires. Many breach-related monitoring services run for 12 to 24 months. When the coverage ends, you'll need to decide whether to continue monitoring on your own.

Check your accounts and create a baseline

Within a few days of receiving a breach notification, review the accounts most likely to be affected by the type of data exposed.

If financial information was compromised, check your bank and credit card statements. If Social Security numbers were involved, pull your credit reports from all three bureaus. If login credentials were exposed, change passwords for the affected service and any other accounts that used the same credentials.

Document the state of your accounts at this point. This baseline record shows what your accounts looked like shortly after the breach notification, before any potential fraudulent activity. If unauthorized charges or accounts appear later, your baseline demonstrates what was and wasn't present at the time you checked.

Take screenshots of your credit reports, account balances, and any relevant account activity. Date them. Save them alongside the breach notification in the same folder.

File formal reports if needed

If you discover unauthorized activity that may be connected to the breach, document each step you take to address it.

Credit bureau fraud alerts or freezes. If you place a fraud alert or credit freeze, save the confirmation from each bureau. Note the date, the bureau, and any PIN or password assigned for lifting the freeze.

FTC identity theft reports. The FTC's IdentityTheft.gov service generates a report and a recovery plan. Save the report number, the date filed, and any communications from the FTC.

Police reports. Some jurisdictions allow or require a police report for identity theft. Save the report number, the date filed, and a copy of the report if provided.

Communications with affected financial institutions. If you dispute unauthorized transactions or accounts, document every interaction. Save dispute letters, confirmation numbers, and resolution notices. Follow up verbal disputes in writing: "I'm writing to confirm the fraud dispute I filed by phone today regarding [specific transaction]. The representative I spoke with was [name], and the reference number is [number]."

Build a breach-specific folder

Create a single folder - physical, digital, or both - dedicated to this specific breach. Include:

  • The original notification (scanned or saved)
  • Your notes on when you received it and what data was exposed
  • Credit monitoring enrollment confirmation
  • Baseline screenshots of your credit reports and account statements
  • Any fraud alerts, freezes, or identity theft reports filed
  • Correspondence with affected companies
  • Records of time spent dealing with the breach (dates, hours, activities)

The time-spent record is often overlooked but can be relevant. Some breach settlements and class action claims allow recovery for time spent addressing the breach's consequences. A log showing that you spent two hours freezing credit accounts, an hour changing passwords, and 45 minutes on the phone with your bank is more useful than a rough estimate produced months later.

Why timing matters

Data breach consequences don't always appear immediately. It can take months or years for stolen data to be used. A Social Security number exposed in a breach today might be used to open a fraudulent account 18 months from now. When that happens, your ability to connect the fraud to the breach depends on your documentation.

A well-organized breach folder lets you show: the notification you received, the data that was exposed, the baseline state of your accounts after the breach, and the unauthorized activity that appeared later. That chain of documentation - notification, baseline, harm - is the structure that supports an insurance claim, a legal action, or a class action participation.

Without that folder, you're reconstructing events from memory, trying to locate old emails in a cluttered inbox, and hoping the credit monitoring service kept records you can still access. The few hours you spend documenting at the time of notification can save you many more hours later.

Get early access

Be among the first to use Receipts. We are rolling out access gradually to ensure quality and safety for every user.

No spam. Unsubscribe anytime. Your email is never shared.