State Data Breach Notification Letter

California Data Breach Notification Package

(Cal. Civ. Code § 1798.82 compliance)

TABLE OF CONTENTS

1. Defined Terms & Statutory Checklist
2. Consumer Notice of Data Breach (to Affected California Residents)
3. Cover Letter to California Attorney General
4. Optional Enclosures

1. DEFINED TERMS & STATUTORY CHECKLIST

1.1 Defined Terms

• “Company” = [LEGAL NAME OF NOTIFYING ENTITY]
• “Incident” = [SHORT NAME/DESCRIPTOR FOR EVENT]
• “Notification Date” = [MM/DD/YYYY]
• “Breach Period” = [MM/DD–MM/DD/YYYY]
• “Personal Information” = Data elements defined in Cal. Civ. Code § 1798.82(h).
• “Residents” = All California individuals whose data was compromised.

1.2 Statutory Content Requirements (Cal. Civ. Code § 1798.82(d))

✅ Plain-language notice titled “Notice of Data Breach”
✅ Company’s name & contact information
✅ Breach Period & Discovery Date
✅ Description of the Incident (general, non-technical)
✅ Categories of Personal Information involved
✅ Whether notice was delayed for law-enforcement needs
✅ Toll-free numbers of the three nationwide credit bureaus (if SSN/DL# involved)
✅ Advice on steps Residents can take to protect themselves
✅ If credentials compromised: instruction to promptly change passwords
✅ 12-point font minimum

2. CONSUMER NOTICE OF DATA BREACH

(to be delivered by first-class mail or electronically, consistent with Cal. Civ. Code § 1798.82(j))

NOTICE OF DATA BREACH
(Cal. Civ. Code § 1798.82)

Date: [NOTIFICATION DATE]

Dear [RESIDENT NAME]:

What Happened?

On [DISCOVERY DATE], Company learned that unauthorized activity in our [SYSTEM TYPE] resulted in access to certain personal information of California residents. Our investigation indicates the Incident occurred during the Breach Period of [BREACH PERIOD]. We contained the Incident on [CONTAINMENT DATE] and engaged leading cybersecurity specialists to assist.

What Information Was Involved?

Based on our investigation, the following types of Personal Information relating to you may have been subject to unauthorized access and/or acquisition:
• [☐ Social Security number]
• [☐ Driver’s license or state identification number]
• [☐ Financial account / payment-card information]
• [☐ Medical / health insurance information]
• [☐ Username and password and/or security question/answer]
(Only the checked boxes apply.)

What We Are Doing

• Immediately secured the affected systems and commenced a forensic review.
• Notified and are fully cooperating with law enforcement.
• Implemented additional technical and administrative safeguards.
• Offering you [12/24] months of complimentary credit monitoring and identity-theft protection through [SERVICE PROVIDER] (enrollment details below).

What You Can Do

1. Enroll in the complimentary credit-monitoring service by [ENROLLMENT DEADLINE].
2. Monitor your account statements and credit reports.
3. Consider placing a fraud alert or security freeze on your credit files.
4. Promptly change any online credentials that may overlap with those exposed.

For More Information

If you have questions, please call our dedicated, toll-free hotline at [PHONE] Monday through Friday, [HOURS], or email us at [EMAIL].

Contact Information for the Three Nationwide Credit Reporting Agencies

• Equifax: 1-800-525-6285 | www.equifax.com
• Experian: 1-888-397-3742 | www.experian.com
• TransUnion: 1-800-680-7289 | www.transunion.com

We deeply regret any inconvenience this Incident may cause and remain committed to safeguarding your information.

Sincerely,

[AUTHORIZED SIGNATORY]
[NAME & TITLE]
[COMPANY LEGAL NAME]
[MAILING ADDRESS] | [PHONE] | [EMAIL]

This notice is provided in compliance with Cal. Civ. Code § 1798.82 and does not constitute an admission of liability or wrongdoing.

3. COVER LETTER TO CALIFORNIA ATTORNEY GENERAL

(submit electronically at https://oag.ca.gov/ecrime/databreach/report-breach OR attach this letter to the on-line form when ≥ 500 Residents are affected)

[COMPANY LETTERHEAD]

Date: [NOTIFICATION DATE]

California Attorney General
Privacy Enforcement Section
Attn: Data Security Breach Reporting
P.O. Box 944255
Sacramento, CA 94244-2550

Re: Data Breach Notification – [COMPANY LEGAL NAME] – Cal. Civ. Code § 1798.82(g)

Dear Attorney General:

Pursuant to California Civil Code § 1798.82(g), [COMPANY LEGAL NAME] (“Company”) hereby submits this notice regarding a data security Incident affecting approximately [NUMBER] California residents.

1. Nature of the Incident:
   • On [DISCOVERY DATE], Company detected unauthorized [ACCESS/DISCLOSURE] to [SYSTEM].
   • The unauthorized actor gained access between [BREACH PERIOD].

2. Personal Information Involved:
   • [LIST CATEGORIES – e.g., Social Security numbers, driver’s license numbers, etc.]

3. Mitigation Measures Implemented:
   • Systems isolated and secured.
   • Independent forensic investigation engaged.
   • Complimentary [12/24]-month credit monitoring offered to affected residents.
   • Enhanced multi-factor authentication across all privileged accounts.

4. Law-Enforcement Involvement:
   • Incident reported to [AGENCY] on [DATE]. Company will cooperate fully with any investigation.

5. Consumer Notification:
   • Notices mailed/emailed on [NOTIFICATION DATE] to [AFFECTED COUNT] California residents.
   • A specimen copy of the Consumer Notice is enclosed.

6. Contact Information:
   • Primary Contact: [CONTACT NAME, TITLE]
   • Address: [ADDRESS]
   • Telephone: [PHONE]
   • Email: [EMAIL]

Please contact the undersigned with any questions.

Respectfully submitted,

[AUTHORIZED SIGNATORY]
[NAME & TITLE]
[COMPANY LEGAL NAME]

Enclosure: Specimen Notice of Data Breach
CC: [OUTSIDE COUNSEL, IF APPLICABLE]

This submission is made under Cal. Civ. Code § 1798.82 and is confidential to the fullest extent allowed by law.

4. OPTIONAL ENCLOSURES

1. Specimen Consumer Notice (required for CA OAG submission)
2. FAQs Sheet for Call-Center Representatives
3. Step-by-Step Enrollment Instructions for Credit-Monitoring Service

END OF TEMPLATE