clear, direct description of what happened

exactly what data was exposed

what they failed to do (we used cheesy email, SMS as MFA, we do not monitor links in our internal emails)

concrete remediation commitments (we will stop using SMS for MFA, use hard tokens or TOTP or..., stop collecting data that is not explicitly needed)

realistic risk explanation (what can happen what was lost)

published independent external review after remediation/mitigation

board-level accountability (board pay goes for fix and customer protection, part of the audit results)

customer protection (3 - 5 years?), not just 'monitoring'

and most importantly, public shaming of the CxO and the board of directors