ALABAMA DATA BREACH NOTIFICATION LETTER TEMPLATE PACKET

(Compliant with the Alabama Data Breach Notification Act, Ala. Code §§ 8-38-1 et seq.)

[// GUIDANCE: This packet contains two stand-alone notification letters—(A) notice to the Alabama Attorney General (“AG Notice”) and (B) notice to affected consumers (“Consumer Notice”). Select and customize the appropriate template(s) based on the number of Alabama residents affected. Under Ala. Code § 8-38-5(a), individual notice is always required; AG notice is required only if 1,000 or more Alabama residents are affected.]

TABLE OF CONTENTS

1. AG Notice – Attorney General of Alabama
2. Consumer Notice – Alabama Resident

1. ATTORNEY GENERAL NOTICE

(Use ONLY if ≥1,000 Alabama residents are affected, Ala. Code § 8-38-5(c).)

DOCUMENT HEADER

Re: Data Breach Notification – [Organization Legal Name] (“Company”)
Date: [Month Day, Year]
Delivery Method: [Certified Mail / Overnight Courier / E-mail] (choose all applicable)

Office of Alabama Attorney General Steve Marshall
Consumer Protection Section
P.O. Box 300152
Montgomery, AL 36130-0152
E-mail: [email protected]

1. Executive Summary of Incident

Pursuant to Ala. Code § 8-38-5(c), Company hereby notifies the Alabama Attorney General that a breach of security involving Sensitive Personally Identifying Information (“SPII,” defined below) has occurred.

2. Definitions

“Sensitive Personally Identifying Information” or “SPII” has the meaning assigned in Ala. Code § 8-38-2(6) and includes, without limitation, an Alabama resident’s first name or first initial and last name in combination with one or more of the following data elements:
a. Social Security number;
b. Driver’s license, passport, or other state- or government-issued identification number;
c. Financial account number, credit card number, or debit card number in combination with any required security code or password;
d. Medical or mental health information;
e. Health-insurance-policy number or unique identifier;
f. User name or e-mail address in combination with a password or security question that would permit access to an online account.

3. Nature of the Breach

• Incident Date(s): [Insert specific or estimated date range]
• Date of Breach Determination (trigger date for 45-day clock): [Month Day, Year]
• Breach Vector: [e.g., Phishing, Ransomware, Lost Device, Insider Threat]
• Description: [Concise description of events leading to unauthorized acquisition of SPII.]

4. Information Compromised

Identify each category of SPII reasonably believed to have been acquired. Example:
• Full name + Social Security number
• Full name + bank account number + routing number

5. Scope of Impact

• Total Alabama Residents Affected: [Number]
• Total Individuals Nationwide (if different): [Number]

6. Steps Taken to Date

1. Immediately initiated incident-response plan and contained threat.
2. Engaged third-party digital forensics firm on [Date].
3. Reset authentication credentials enterprise-wide.
4. Implemented endpoint detection and continuous monitoring solutions.

7. Consumer Mitigation Services

[Describe credit-monitoring, identity-theft-protection, or other remediation services offered, including duration (minimum 12 months is industry best practice).]

8. Law-Enforcement Contact

[// GUIDANCE: Disclosure is optional but recommended under § 8-38-5(c)(3).]
• Agency: [e.g., Federal Bureau of Investigation, Cyber Division]
• Case/Reference No.: [XXXX]
• Agent Name / Contact Info: [Telephone, E-mail]

9. Company Contact Information

[Designate a toll-free number, dedicated e-mail address, and postal address for AG staff.]

10. Enclosures

• Sample Consumer Notice letter (required)
• Any additional supporting documentation

11. No Admission of Liability

This notification is provided pursuant to Ala. Code §§ 8-38-1 et seq. and does not constitute an admission of liability, fault, or wrongdoing, nor does it constitute a waiver of any defenses available at law or in equity.

Respectfully submitted,

[Authorized Signatory Name]
[Title]
[Organization Legal Name]
[Telephone]
[E-mail]

2. CONSUMER NOTICE

(Required for EACH affected Alabama resident, Ala. Code § 8-38-5(a).)

DOCUMENT HEADER

IMPORTANT NOTICE OF DATA BREACH
[Organization Letterhead]
[Date]

Greeting

Dear [First Name Last Name] / [“Valued Customer” if name unavailable],

1. What Happened?

On [incident determination date], we determined that unauthorized access to certain Company systems occurred between [date range]. During this incident, files containing your Sensitive Personally Identifying Information (“SPII”) were compromised.

2. What Information Was Involved?

Based on our investigation, the following SPII relating to you was involved:
• [Social Security number]
• [Driver’s license number]
• [Financial account number]

[// GUIDANCE: Do NOT include the actual data elements (e.g., do not print the full SSN) per best practices and to avoid further risk.]

3. What We Are Doing

• Immediately contained and eradicated the threat.
• Engaged a leading cybersecurity firm to conduct a forensic analysis.
• Notified and are cooperating with law-enforcement authorities.
• We are offering you [12/24] months of complimentary [credit monitoring/identity theft protection] through [Service Provider], including $[Amount] identity-theft insurance and fraud-resolution support. To enroll, please follow the instructions in Section 5 below.

4. What You Can Do

We recommend that you:
1. Review your account statements and credit reports for unauthorized activity.
2. Consider placing a fraud alert or security freeze on your credit file.
3. Remain vigilant and promptly report any suspicious activity to law enforcement and the relevant financial institution.

5. How to Enroll in Complimentary Credit Monitoring

To activate your services:
• Visit: [Enrollment URL]
• Enter Activation Code: [CODE]
• Deadline to Enroll: [Date – not less than 90 days from letter date]

6. Other Important Information

You are entitled to one free credit report annually from each of the three nationwide credit-reporting agencies. Contact information is below:

• Equifax – 1-800-525-6285 | www.equifax.com
• Experian – 1-888-397-3742 | www.experian.com
• TransUnion – 1-800-680-7289 | www.transunion.com

You may also obtain information about identity theft from the Federal Trade Commission (“FTC”): 1-877-ID-THEFT (877-438-4338) or www.identitytheft.gov.

7. For More Information

If you have questions, please contact our dedicated incident-response line at [toll-free number] Monday through Friday from [hours], or e-mail us at [incident e-mail].

8. No Admission of Liability

This notice is provided in accordance with the Alabama Data Breach Notification Act and does not constitute an admission of liability or wrongdoing.

Sincerely,

[Authorized Signatory Name]
[Title]
[Organization Legal Name]
[Telephone]
[E-mail]

KEY STATUTORY TIMING REQUIREMENTS (FOR INTERNAL USE)

[// GUIDANCE: Do NOT include this box in outbound letters.]
• Clock starts on the date the organization determines that a breach has occurred.
• Individual notice must be dispatched “as expeditiously as possible and without unreasonable delay,” but no later than 45 days after determination.
• AG notice (if required) must be sent within the same 45-day window.

OPTIONAL INTERNAL CHECKLIST

[// GUIDANCE: Retain for counsel’s file.]
☐ Investigation completed and breach determination date recorded
☐ 45-day calendar entered and monitored
☐ Letter templates reviewed by outside counsel
☐ Toll-free hotline staffed and scripts finalized
☐ Credit-monitoring service agreement executed
☐ Sample Consumer Notice provided to AG (if ≥1,000 residents)
☐ Proofs of mailing retained for five years

END OF TEMPLATE PACKET