State Data Breach Notification Letter
ALABAMA DATA BREACH NOTIFICATION LETTER TEMPLATE PACKET
(Compliant with the Alabama Data Breach Notification Act, Ala. Code §§ 8-38-1 et seq.)
TABLE OF CONTENTS
- AG Notice – Attorney General of Alabama
- Consumer Notice – Alabama Resident
1. ATTORNEY GENERAL NOTICE
(Use ONLY if ≥1,000 Alabama residents are affected, Ala. Code § 8-38-5(c).)
DOCUMENT HEADER
Re: Data Breach Notification – [Organization Legal Name] (“Company”)
Date: [Month Day, Year]
Delivery Method: [Certified Mail / Overnight Courier / E-mail] (choose all applicable)
Office of Alabama Attorney General Steve Marshall
Consumer Protection Section
P.O. Box 300152
Montgomery, AL 36130-0152
E-mail: [email protected]
1. Executive Summary of Incident
Pursuant to Ala. Code § 8-38-5(c), Company hereby notifies the Alabama Attorney General that a breach of security involving Sensitive Personally Identifying Information (“SPII,” defined below) has occurred.
2. Definitions
“Sensitive Personally Identifying Information” or “SPII” has the meaning assigned in Ala. Code § 8-38-2(6) and includes, without limitation, an Alabama resident’s first name or first initial and last name in combination with one or more of the following data elements:
a. Social Security number;
b. Driver’s license, passport, or other state- or government-issued identification number;
c. Financial account number, credit card number, or debit card number in combination with any required security code or password;
d. Medical or mental health information;
e. Health-insurance-policy number or unique identifier;
f. User name or e-mail address in combination with a password or security question that would permit access to an online account.
3. Nature of the Breach
• Incident Date(s): [Insert specific or estimated date range]
• Date of Breach Determination (trigger date for 45-day clock): [Month Day, Year]
• Breach Vector: [e.g., Phishing, Ransomware, Lost Device, Insider Threat]
• Description: [Concise description of events leading to unauthorized acquisition of SPII.]
4. Information Compromised
Identify each category of SPII reasonably believed to have been acquired. Example:
• Full name + Social Security number
• Full name + bank account number + routing number
5. Scope of Impact
• Total Alabama Residents Affected: [Number]
• Total Individuals Nationwide (if different): [Number]
6. Steps Taken to Date
- Immediately initiated incident-response plan and contained threat.
- Engaged third-party digital forensics firm on [Date].
- Reset authentication credentials enterprise-wide.
- Implemented endpoint detection and continuous monitoring solutions.
7. Consumer Mitigation Services
[Describe credit-monitoring, identity-theft-protection, or other remediation services offered, including duration (minimum 12 months is industry best practice).]
8. Law-Enforcement Contact
• Agency: [e.g., Federal Bureau of Investigation, Cyber Division]
• Case/Reference No.: [XXXX]
• Agent Name / Contact Info: [Telephone, E-mail]
9. Company Contact Information
[Designate a toll-free number, dedicated e-mail address, and postal address for AG staff.]
10. Enclosures
• Sample Consumer Notice letter (required)
• Any additional supporting documentation
11. No Admission of Liability
This notification is provided pursuant to Ala. Code §§ 8-38-1 et seq. and does not constitute an admission of liability, fault, or wrongdoing, nor does it constitute a waiver of any defenses available at law or in equity.
Respectfully submitted,
_____________________________________
[Authorized Signatory Name]
[Title]
[Organization Legal Name]
[Telephone]
[E-mail]
2. CONSUMER NOTICE
(Required for EACH affected Alabama resident, Ala. Code § 8-38-5(a).)
DOCUMENT HEADER
IMPORTANT NOTICE OF DATA BREACH
[Organization Letterhead]
[Date]
Greeting
Dear [First Name Last Name] / [“Valued Customer” if name unavailable],
1. What Happened?
On [incident determination date], we determined that unauthorized access to certain Company systems occurred between [date range]. During this incident, files containing your Sensitive Personally Identifying Information (“SPII”) were compromised.
2. What Information Was Involved?
Based on our investigation, the following SPII relating to you was involved:
• [Social Security number]
• [Driver’s license number]
• [Financial account number]
3. What We Are Doing
• Immediately contained and eradicated the threat.
• Engaged a leading cybersecurity firm to conduct a forensic analysis.
• Notified and are cooperating with law-enforcement authorities.
• We are offering you [12/24] months of complimentary [credit monitoring/identity theft protection] through [Service Provider], including $[Amount] identity-theft insurance and fraud-resolution support. To enroll, please follow the instructions in Section 5 below.
4. What You Can Do
We recommend that you:
- Review your account statements and credit reports for unauthorized activity.
- Consider placing a fraud alert or security freeze on your credit file.
- Remain vigilant and promptly report any suspicious activity to law enforcement and the relevant financial institution.
5. How to Enroll in Complimentary Credit Monitoring
To activate your services:
• Visit: [Enrollment URL]
• Enter Activation Code: [CODE]
• Deadline to Enroll: [Date – not less than 90 days from letter date]
6. Other Important Information
You are entitled to one free credit report annually from each of the three nationwide credit-reporting agencies. Contact information is below:
• Equifax – 1-800-525-6285 | www.equifax.com
• Experian – 1-888-397-3742 | www.experian.com
• TransUnion – 1-800-680-7289 | www.transunion.com
You may also obtain information about identity theft from the Federal Trade Commission (“FTC”): 1-877-ID-THEFT (877-438-4338) or www.identitytheft.gov.
7. For More Information
If you have questions, please contact our dedicated incident-response line at [toll-free number] Monday through Friday from [hours], or e-mail us at [incident e-mail].
8. No Admission of Liability
This notice is provided in accordance with the Alabama Data Breach Notification Act and does not constitute an admission of liability or wrongdoing.
Sincerely,
_____________________________________
[Authorized Signatory Name]
[Title]
[Organization Legal Name]
[Telephone]
[E-mail]
KEY STATUTORY TIMING REQUIREMENTS (FOR INTERNAL USE)
• Clock starts on the date the organization determines that a breach has occurred.
• Individual notice must be dispatched “as expeditiously as possible and without unreasonable delay,” but no later than 45 days after determination.
• AG notice (if required) must be sent within the same 45-day window.
OPTIONAL INTERNAL CHECKLIST
☐ Investigation completed and breach determination date recorded
☐ 45-day calendar entered and monitored
☐ Letter templates reviewed by outside counsel
☐ Toll-free hotline staffed and scripts finalized
☐ Credit-monitoring service agreement executed
☐ Sample Consumer Notice provided to AG (if ≥1,000 residents)
☐ Proofs of mailing retained for five years
END OF TEMPLATE PACKET
About This Template
Formal legal letters create a written record, trigger response deadlines, and often preserve rights under a statute or contract. Cease-and-desist letters, notice letters, and formal responses all have their own expected format, and the language used can mean the difference between a quick resolution and a courtroom fight. Well-drafted correspondence also documents that you tried to resolve things reasonably, which matters if the dispute escalates later.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: May 2026
Get your State Data Breach Notification Letter, done and ready to use
Fill it in for your situation, adjust it for your state, and download the finished Word and PDF. Let the AI do it in about 5 minutes, or finish it yourself in the editor. Drafting this from scratch takes hours. Finish yours in about 5 minutes for $49, one time.