When users of the organization's services are potentially exposed to a significant information security threat, the organization must communicate this to them, including all possible remedial measures that users can take themselves to protect themselves against the threat.
When necessary for clarity of communication, the organization must include in its communication also more general information about the related information security threat.