Which of the following must be included in a breach notification?

Including the extent of the breach in a breach notification is critical because it provides individuals whose information may be affected with important context about the nature and scope of the incident. The extent of the breach informs them about what type of information was compromised, how many individuals were affected, and whether their data was extracted, accessed, or otherwise put at risk. This information helps affected individuals understand their potential risk for identity theft or other fraudulent activities.

Moreover, this transparency fosters trust between the entity and the individuals it serves, allowing them to take informed precautions. Knowing the specifics allows individuals to assess their risk and decide what actions they might need to take, such as monitoring their accounts or engaging with credit protection services. Therefore, it's vital to include the extent of the breach as part of the notification process.

In contrast, the other options do not focus directly on the information the affected individuals need to make informed decisions regarding their own data security and risk assessment.