State Data Breach Notification Letter

Arizona Data Breach Notification Packet

(Complies with A.R.S. § 18-552 and related Arizona privacy statutes)

TABLE OF CONTENTS
1. Overview & Drafting Instructions
2. Definitions
3. Form A – Attorney General / AZDOHS Notification Letter
4. Form B – Consumer Notification Letter
5. Exhibits & Optional Attachments
    Exhibit 1 – Incident Timeline Worksheet
    Exhibit 2 – Sample Address List Spreadsheet Header
    Exhibit 3 – Credit-Monitoring Offer Language (Optional)

1. OVERVIEW & DRAFTING INSTRUCTIONS

Key statutory checkpoints (A.R.S. § 18-552):
• 45-day notice clock starts on “determination” that a breach occurred.
• Consumer notice must be “clear and conspicuous” and include specific content.
• If ≥1,000 AZ residents are affected, simultaneous notice to:
 – Arizona Attorney General (AG)
 – Director, Arizona Department of Homeland Security (AZDOHS)
 – All nationwide Consumer Reporting Agencies (CRAs)
• Notice may not be required if data were encrypted and encryption keys were not compromised.

2. DEFINITIONS

“Breach” means an unauthorized acquisition of unencrypted or unredacted Personal Information maintained as part of a computerized data system that materially compromises the security, confidentiality, or integrity of the Personal Information, as further defined in A.R.S. § 18-552(A)(3).

“Covered Entity” means [COVERED ENTITY LEGAL NAME], including all subsidiaries and affiliates under its direction or control that were involved in the Incident.

“Determination Date” means the calendar date on which the Covered Entity concluded, after a reasonable and prompt investigation, that a Breach occurred and that notification is required.

“Incident” means the events occurring on or about [INCIDENT DATE RANGE] that resulted in the Breach.

“Personal Information” has the meaning given in A.R.S. § 18-552(A)(9).

3. FORM A – ATTORNEY GENERAL / AZDOHS NOTIFICATION LETTER

(Use when ≥1,000 Arizona residents are affected)

[LETTERHEAD OF COVERED ENTITY]

Date: [DATE]

Via Certified Mail & E-Mail

The Honorable [NAME OF ATTORNEY GENERAL]
Office of the Arizona Attorney General
2005 N. Central Ave.
Phoenix, AZ 85004

Re: Data Breach Notification Pursuant to A.R.S. § 18-552

Dear Attorney General [LAST NAME]:

1. Identity of Covered Entity
[COVERED ENTITY LEGAL NAME] (“Covered Entity”), an entity conducting business in Arizona, hereby provides notice of a data breach involving Arizona residents.

2. Incident Summary
On [INCIDENT DISCOVERY DATE], the Covered Entity discovered unauthorized access to its information systems. A forensic investigation determined that between [BREACH_WINDOW] an unknown actor accessed files containing Personal Information of Arizona residents. The Breach was confirmed on [DETERMINATION DATE] (“Determination Date”).

3. Personal Information Involved
The compromised data may have included one or more of the following data elements combined with an individual’s name:
• Social Security number
• Driver license or state identification number
• Financial account number and/or payment-card data
• [OTHER DATA ELEMENTS]
No evidence suggests misuse of the data to date; nevertheless, the Covered Entity is issuing notice in accordance with A.R.S. § 18-552.

4. Number of Arizona Residents Affected
An estimated [NUMBER_AZ_AFFECTED] Arizona residents were affected. Nationwide, approximately [TOTAL_AFFECTED] individuals were impacted.

5. Consumer Notification Timing & Method
Consistent with A.R.S. § 18-552, written notice will be mailed (and, where applicable, emailed) to affected Arizona residents no later than [CONSUMER_NOTICE_DEADLINE], which is within 45 days of the Determination Date.

6. Steps Taken & Mitigation Measures
• Engaged an independent cybersecurity forensics firm on [FORENSIC_ENGAGEMENT_DATE].
• Contained and eradicated malicious access; reset relevant credentials.
• Implemented enhanced network monitoring and multi-factor authentication.
• Offering [12/24]-month complimentary credit monitoring and identity-theft protection.
• Notifying nationwide CRAs concurrently with this letter.

7. Contact Information
For additional information, please contact [BREACH_RESPONSE_COORDINATOR_NAME], [TITLE], at [PHONE] or [EMAIL].

This notification is provided pursuant to A.R.S. § 18-552 and does not constitute an admission of liability or of any violation of law.

Respectfully submitted,

___________________________
[NAME]
[Title]
[COVERED ENTITY LEGAL NAME]

cc: Director, Arizona Department of Homeland Security
1700 W. Washington St., Suite B-32, Phoenix, AZ 85007

4. FORM B – CONSUMER NOTIFICATION LETTER

(Send to each affected Arizona resident)

[COVERED ENTITY LOGO]

[DATE]

[CUSTOMER_NAME]
[STREET_ADDRESS]
[CITY], [STATE] [ZIP]

Re: Important Notice of Data Breach

Dear [CUSTOMER_NAME],

What Happened?
On [DETERMINATION DATE], we determined that an unauthorized third party gained access to certain files on our computer systems between [BREACH_WINDOW]. We promptly secured our systems and launched a detailed investigation with leading cybersecurity experts.

What Information Was Involved?
The information involved may have included your [SPECIFY DATA ELEMENTS—e.g., Social Security number, driver license number, financial account number, etc.]. At this time, we have no evidence of actual or attempted misuse of your information.

What We Are Doing.
• We contained the Incident, reset credentials, and enhanced network security.
• We are offering you [12/24] months of complimentary credit monitoring and identity-theft protection services through [SERVICE PROVIDER]. Enroll by [ENROLLMENT_DEADLINE] using the code [ENROLLMENT_CODE]. Enrollment instructions are enclosed.
• We have notified the Arizona Attorney General, the Arizona Department of Homeland Security, and the nationwide credit reporting agencies as required by law.

What You Can Do.
We encourage you to take the following precautions:
1. Enroll in the complimentary credit-monitoring service.
2. Review account statements and credit reports for unfamiliar activity.
3. Consider placing a fraud alert or security freeze on your credit files.
4. Remain vigilant and promptly report suspected identity theft to us, your financial institutions, and law enforcement.

Credit Reporting Agency Contact Information
• Equifax | P.O. Box 740256, Atlanta, GA 30374 | (888) 378-4329 | www.equifax.com
• Experian | P.O. Box 2002, Allen, TX 75013 | (888) 397-3742 | www.experian.com
• TransUnion | P.O. Box 2000, Chester, PA 19016 | (800) 680-7289 | www.transunion.com
You may obtain a free copy of your credit report once every 12 months from each CRA at www.annualcreditreport.com or by calling (877) 322-8228.

For More Information.
If you have questions, please call our dedicated response line at [TOLL-FREE_NUMBER], Monday through Friday, [HOURS], or email us at [EMAIL_ADDRESS].

We regret any inconvenience or concern this may cause you and are committed to protecting your information.

Sincerely,

___________________________
[NAME]
[Title]
[COVERED ENTITY LEGAL NAME]

Enclosures: Credit-Monitoring Enrollment Instructions; “Identity Theft Prevention Tips” Sheet

5. EXHIBITS & OPTIONAL ATTACHMENTS

Exhibit 1 – Incident Timeline Worksheet
Exhibit 2 – Sample Address List Spreadsheet Header (Consumer Notice Mailing)
Exhibit 3 – Credit-Monitoring Offer Language (Optional; remove if no monitoring is offered)

DISCLAIMER

This packet is a template for use by qualified counsel. It does not constitute legal advice and must be customized to the facts of each Incident. Statutory citations: Ariz. Rev. Stat. § 18-552 (2023).