COLORADO DATA BREACH NOTIFICATION PACKAGE

(Template – For Immediate Attorney Review & Customization)

[// GUIDANCE: This package contains two model letters that satisfy Colorado’s security-breach notification statute, C.R.S. § 6-1-716. Letter A is directed to the Colorado Attorney General; Letter B is directed to affected Colorado residents. Complete all bracketed placeholders, delete GUIDANCE notes, and attach any referenced exhibits before issuing. Issue no later than 30 calendar days after determination of a qualifying breach.*]

TABLE OF CONTENTS

1. Letter A – Notification to the Colorado Attorney General
2. Letter B – Notification to Affected Colorado Residents
   2.1. Attachment 1 – “Steps You Can Take to Protect Your Information” (model enclosure)

LETTER A

Notification to the Colorado Attorney General

[Entity Letterhead]
[Date]

The Honorable [Attorney General’s Full Name]
Office of the Colorado Attorney General
Ralph L. Carr Judicial Center
1300 Broadway, 10th Floor
Denver, CO 80203

Re: Security Breach Notification – [ENTITY NAME] – Pursuant to C.R.S. § 6-1-716

Attorney General [Last Name]:

[// GUIDANCE: Keep this opening paragraph brief and factual.]
On [Date of Determination], [Entity Name] (“Company”) determined that a security incident occurred involving the personal information of approximately [Number] Colorado residents. In accordance with C.R.S. § 6-1-716, Company provides the following information:

1. Incident Summary
   a. Date(s) of breach: [Estimated or Confirmed Breach Date Range].
   b. Date breach was discovered: [Date].
   c. Date determination was made that notification is required: [Date].
   d. Nature of the incident (e.g., external system intrusion, stolen laptop, inadvertent disclosure): [Description—concise, non-speculative].

2. Type of Personal Information Involved
   The incident may have involved one or more of the following data elements for affected individuals:
   • [e.g., Social Security numbers]
   • [Driver’s license or state identification numbers]
   • [Financial account numbers + required access codes]
   • [Medical / health insurance information]
   • [Biometric data]
   (collectively, “Personal Information”).

3. Scope of Impact
   • Total individuals affected: [Total Number].
   • Colorado residents affected: [Number] (≥ 500).
   • Other jurisdictions affected (if any): [States / Countries].

4. Remediation & Mitigation Measures
   • Containment actions completed: [e.g., disabled compromised credentials, isolated servers].
   • Ongoing/Completed forensic investigation by [Third-Party Firm Name] initiated [Date].
   • Enhanced security controls: [Multi-factor authentication, endpoint monitoring, etc.].
   • Complimentary identity-theft protection offered to affected individuals: [Provider, Duration].

5. Consumer Notice
   • Method(s) of consumer notice: [First-class mail / email / substitute notice] commencing no later than [Date ≤ 30 days from determination].
   • Sample consumer notice letter enclosed as Attachment B-1.

6. Law-Enforcement Coordination
   • [If applicable] Company consulted with [Law-Enforcement Agency] on [Date]; agency advised that consumer notification would not impede any investigation.

7. Company Contact for Follow-Up
   • Name/Title: [Authorized Contact]
   • Telephone: [Direct Number]
   • Email: [Email Address]
   • Mailing Address: [Physical Address]

Please contact me with any questions or if additional information is required.

Respectfully submitted,

[Signature]
[Typed Name]
[Title]
[Entity Name]
[Direct Phone] | [Email]

LETTER B

Notification to Affected Colorado Residents

[Entity Letterhead]
[Date]

[Recipient Name]
[Street Address]
[City], CO [ZIP]

Re: Notice of Data Security Incident

Dear [Recipient Name],

[// GUIDANCE: The following headings mirror FTC/AG-preferred plain-language format.]

1. What Happened?
   On [Date of Determination], we learned that unauthorized access to our computer network occurred between approximately [Breach Date Range]. Upon discovery, we immediately commenced an investigation with independent cybersecurity experts and notified law enforcement. The incident has been contained.

2. What Information Was Involved?
   The investigation determined that the following information relating to you may have been accessed or acquired: [describe data elements plainly, e.g., “your name and Social Security number”]. Importantly, no passwords or PINs for your financial accounts were affected. We have no evidence of actual or attempted misuse of your information.

3. What We Are Doing.
   • Engaged leading forensic specialists to confirm the scope of the incident.
   • Implemented additional safeguards, including [e.g., multi-factor authentication, enhanced logging].
   • We are providing you with [XX] months of complimentary [credit monitoring/identity-theft protection] through [Provider Name]. Instructions for enrollment appear in Attachment 1. We will cover the cost entirely.
   • We have established a dedicated call center at [Toll-Free Number], available [Days/Hours].

4. What You Can Do.
   Please review Attachment 1 for steps you can take to protect your personal information, including placing fraud alerts and security freezes, and obtaining free credit reports. We recommend that you remain vigilant by reviewing account statements and monitoring free credit reports.

5. For More Information.
   If you have questions, please call our toll-free hotline at [Number] or email us at [Email]. When calling, please reference the following engagement code: [Code].

We regret any inconvenience or concern this incident may cause you and remain committed to safeguarding your information.

Sincerely,

[Signature]
[Typed Name]
[Title]
[Entity Name]

Attachment 1

Steps You Can Take to Protect Your Information

1. Review Your Accounts. Monitor account statements and credit reports. Obtain free credit reports at www.annualcreditreport.com or 1-877-322-8228.
2. Fraud Alert. Contact any one of the three major credit bureaus to place a free one-year fraud alert.
   • Equifax – 1-800-685-1111 | www.equifax.com
   • Experian – 1-888-397-3742 | www.experian.com
   • TransUnion – 1-888-909-8872 | www.transunion.com
3. Security Freeze. You may place a free security freeze that prevents new credit from being opened. Contact each bureau using the information above.
4. Identity Theft Report. If you believe you are a victim of identity theft, visit the Federal Trade Commission at www.identitytheft.gov or call 1-877-ID-THEFT. File a police report if appropriate.
5. Additional Resources. Colorado residents can obtain information on security-breach response from the Colorado Attorney General at www.coag.gov.

[// GUIDANCE: If health information was involved, include HHS breach-notification information; if driver’s-license or tax information was involved, include Colorado DMV or Department of Revenue contacts.]

COMPLIANCE CHECKLIST

[// GUIDANCE: Retain this page internally – do NOT send to AG or consumers.]

☐ 30-day statutory deadline (C.R.S. § 6-1-716(2)) tracked
☐ Breach involves ≥ 500 Colorado residents → AG notice required
☐ Consumer notice drafted in plain language, includes all required elements
☐ Attachments finalized (identity-theft resources, credit-monitoring instructions)
☐ Law-enforcement consultation documented
☐ Consumer reporting agencies notified if ≥ 1,000 total individuals affected
☐ Document retention plan in place (minimum 2 years)

[END OF TEMPLATE]