Connecticut Data Breach Notification Letter Template Package
[// GUIDANCE: This court-ready package is designed for immediate customization and use by counsel representing an entity that has experienced a “Breach of Security” involving Connecticut residents. It contains (i) a master set of legally operative clauses allocating risk and documenting compliance, and (ii) two fully-drafted form letters—one for the Connecticut Attorney General (“AG”) and one for affected Connecticut residents. All bracketed language must be tailored before release.]
TABLE OF CONTENTS
I. Document Header
II. Definitions
III. Operative Provisions
IV. Representations & Warranties
V. Covenants & Restrictions
VI. Default & Remedies
VII. Risk Allocation
VIII. Dispute Resolution
IX. General Provisions
X. Execution Block
Annex A – Form of Notice to the Connecticut Attorney General
Annex B – Form of Notice to Affected Connecticut Residents
Annex C – Credit Bureau & FTC Contact Information
I. DOCUMENT HEADER
Document Title: Connecticut Data Breach Notification Package
Issuing Party: [LEGAL NAME OF COMPANY], a [STATE] [corporation/LLC/etc.] with its principal place of business at [ADDRESS] (“Company”).
Effective Date: [DATE OF ISSUANCE] (“Effective Date”).
Governing Law: Conn. Gen. Stat. § 36a-701b and related Connecticut privacy statutes (“State Data Breach Law”).
Purpose: To memorialize Company’s compliance with State Data Breach Law and to transmit statutorily-required notices in connection with the Breach of Security first discovered on [DISCOVERY DATE].
II. DEFINITIONS
For purposes of this Package (including all Annexes), the following capitalized terms have the meanings set forth below:
- “Affected Individual” means each natural person who is a resident of Connecticut and whose Personal Information was or is reasonably believed to have been compromised in the Breach.
- “Breach of Security” or “Breach” has the meaning assigned in Conn. Gen. Stat. § 36a-701b, namely the unauthorized access to or acquisition of computerized data that compromises the security, confidentiality, or integrity of Personal Information.
- “Notification Date” means the date on which written notice is transmitted to Affected Individuals and to the AG in accordance with Section III.
- “Personal Information” has the meaning assigned in Conn. Gen. Stat. § 36a-701b (a)(2), including but not limited to an individual’s first name or first initial and last name in combination with one or more of the following data elements: Social Security number; driver’s license or state identification number; financial-account, debit-card, or credit-card number (with or without additional access data); medical information; health-insurance information; biometric identifiers; or user name or e-mail address in combination with a password or security question and answer.
- “Identity Theft Prevention Services” means, collectively, identity-theft monitoring and mitigation services meeting or exceeding the minimum standards of Conn. Gen. Stat. § 36a-701b (b), to be provided for at least twenty-four (24) months at no cost to each Affected Individual.
III. OPERATIVE PROVISIONS
3.1 Timing of Notification. Company shall provide written notice of the Breach to (a) the AG and (b) each Affected Individual without unreasonable delay, and in no event later than sixty (60) days after discovery of the Breach, except as a law-enforcement delay may apply under Conn. Gen. Stat. § 36a-701b (c).
3.2 Content of Notices. Each notice shall, at a minimum, contain the information enumerated in Annex A (AG Notice) or Annex B (Consumer Notice), as applicable, and any additional disclosures reasonably required by subsequent regulatory guidance.
3.3 Identity Theft Services. If the Breach involved or is reasonably believed to have involved a Social Security number, Company shall provide each Affected Individual with Identity Theft Prevention Services in accordance with Section II(5) and shall include detailed enrollment instructions in the Consumer Notice.
3.4 Record Retention. Company shall retain for not less than five (5) years from the Notification Date (a) written documentation of compliance with this Package, (b) a copy of all notices sent, (c) evidence of mailing dates, and (d) any correspondence with the AG regarding the Breach.
3.5 Law-Enforcement Hold. If a law-enforcement agency determines that notification would impede a criminal investigation and provides Company with a written request for delay, Company may defer the notices for the period specified by such agency, not to exceed ninety (90) days, unless renewed.
IV. REPRESENTATIONS & WARRANTIES
4.1 Authority. Company represents that the undersigned signatory possesses full corporate authority to execute and deliver the notices annexed hereto.
4.2 Accuracy of Information. Company warrants that, to the best of its knowledge after diligent inquiry, the factual statements contained in the notices are accurate and complete as of the Effective Date, subject to ongoing investigation disclosures.
4.3 Survival. The warranties in this Section IV shall survive delivery of the notices for a period of two (2) years.
V. COVENANTS & RESTRICTIONS
5.1 Compliance Covenant. Company covenants that it will comply in all material respects with State Data Breach Law and any instructions received from the AG.
5.2 Remedial Measures. Company shall promptly implement reasonable security and remedial measures to prevent a recurrence of the Breach, including employee re-training, system hardening, and penetration testing.
5.3 Non-Waiver of Statutory Rights. Nothing in this Package shall be construed to restrict any statutory rights or remedies of Affected Individuals or the AG.
VI. DEFAULT & REMEDIES
6.1 Default. Failure to issue the notices within the statutory timeframe constitutes a default under this Package and may subject Company to statutory penalties under Conn. Gen. Stat. § 36a-701b (g).
6.2 Cure Period. Upon written notice from the AG alleging non-compliance, Company shall have five (5) business days to demonstrate compliance or cure the default before further enforcement action.
6.3 Remedies. The AG may seek all remedies available at law or in equity, including civil penalties, injunctive relief, and restitution. Company reserves the right to contest any such action in the forum specified in Section VIII.
VII. RISK ALLOCATION
7.1 Statutory Penalties. Company acknowledges that liability for a violation of State Data Breach Law is limited to the statutory penalties and remedies expressly provided therein.
7.2 No Contractual Indemnification. Given the consumer-protection nature of the notices, no indemnity obligations are created in favor of any party.
VIII. DISPUTE RESOLUTION
8.1 Governing Law. This Package and any dispute arising out of the Breach shall be governed by the laws of the State of Connecticut without regard to its conflict-of-laws rules.
8.2 Forum Selection. The superior courts of the State of Connecticut shall have exclusive jurisdiction over any proceeding arising hereunder. Company irrevocably submits to such jurisdiction.
[// GUIDANCE: Arbitration, jury-waiver, and injunctive-relief provisions are intentionally omitted as per the Metadata.]
IX. GENERAL PROVISIONS
9.1 Amendments. This Package may be amended only by a written instrument executed by an authorized officer of Company.
9.2 Severability. If any provision herein is held unenforceable, the remaining provisions shall remain in full force and effect.
9.3 Entire Agreement. This Package, together with its Annexes, constitutes the entire agreement of the parties hereto with respect to the subject matter and supersedes all prior drafts.
9.4 Electronic Signatures. Signatures transmitted by electronic means shall be deemed original.
X. EXECUTION BLOCK
IN WITNESS WHEREOF, the undersigned has caused this Package to be executed as of the Effective Date.
| [COMPANY LEGAL NAME] | |
| By: __________ | Date: ___ [MONTH DD, YYYY] |
| Name: ________ | |
| Title: _______ |
ANNEX A
FORM OF NOTICE TO THE CONNECTICUT ATTORNEY GENERAL
[// GUIDANCE: Deliver via e-mail to [email protected] and hard copy to the address listed on the AG’s website. Replace bracketed text. Attach a copy of the Consumer Notice (Annex B).]
[COMPANY LETTERHEAD]
[DATE]
VIA EMAIL AND FIRST-CLASS MAIL
Office of the Attorney General
Attn: Privacy & Data Security Section
165 Capitol Avenue
Hartford, CT 06106
Email: [email protected]
Re: Notice of Data Breach – Conn. Gen. Stat. § 36a-701b
Dear Attorney General [NAME]:
[1] Nature of the Breach
On [DISCOVERY DATE], [COMPANY LEGAL NAME] (“Company”) discovered unauthorized access to [briefly describe affected system] resulting in a “Breach of Security” as that term is defined in Conn. Gen. Stat. § 36a-701b.
[2] Date(s) of Breach
The unauthorized activity occurred between [START DATE] and [END DATE]. Company detected the intrusion on [DISCOVERY DATE] and contained it on [CONTAINMENT DATE].
[3] Personal Information Involved
The investigation determined that the following data elements relating to Connecticut residents were, or are reasonably believed to have been, compromised:
• [☐ Social Security numbers]
• [☐ Driver’s license or state ID numbers]
• [☐ Financial account information]
• [☐ Medical or health-insurance information]
• [☐ User names/e-mail addresses with passwords or security answers]
No misuse of the data has been confirmed to date. The files did not contain payment-card CVV codes or unencrypted PIN numbers.
[4] Number of Connecticut Residents Affected
Company has identified approximately [###] Connecticut residents whose Personal Information was involved.
[5] Services Offered
Because Social Security numbers were involved, Company is offering, at no cost, twenty-four (24) months of credit monitoring, identity-theft protection, and fraud-resolution services through [SERVICE PROVIDER NAME]. Enrollment instructions are included in the enclosed Consumer Notice.
[6] Steps Taken
Immediately upon discovery, Company:
a. Isolated the affected servers and engaged a forensic cybersecurity firm;
b. Reset all employee credentials and enabled multi-factor authentication;
c. Implemented enhanced intrusion-detection and log-monitoring tools; and
d. Notified federal and state law-enforcement agencies.
[7] Law-Enforcement Investigation
Company notified [AGENCY NAME] on [DATE]. At this time, no law-enforcement hold is in effect.
[8] Contact Information
Please direct any inquiries to:
[CONTACT NAME], [TITLE]
[PHONE] | [EMAIL] | [ADDRESS]
Company intends to mail consumer notices on [INTENDED MAILING DATE], within sixty (60) days of discovery, in compliance with Conn. Gen. Stat. § 36a-701b (b).
Sincerely,
[NAME]
[TITLE]
[COMPANY LEGAL NAME]
Enclosure: Form of Consumer Notice
ANNEX B
FORM OF NOTICE TO AFFECTED CONNECTICUT RESIDENTS
[// GUIDANCE: 1) Use at least 10-point font. 2) Do NOT list the specific data elements on the envelope or subject line. 3) Send by first-class mail unless the statute’s electronic-notice criteria are met. 4) Retain proof of mailing.]
[COMPANY LOGO or NAME]
[COMPANY ADDRESS]
[PHONE] | [EMAIL] | [WEBSITE]
[DATE]
Notice of Data Breach
Dear [FIRST NAME LAST NAME]:
What Happened?
On [DISCOVERY DATE], we discovered unauthorized access to certain Company computer systems. Our investigation determined that an unauthorized individual accessed data between [START DATE] and [END DATE].
What Information Was Involved?
The information involved may have included your [select applicable: Social Security number, driver’s license number, financial-account number, medical information, user name and password, etc.].
What We Are Doing
• We immediately secured our systems, engaged leading cybersecurity experts, and notified law enforcement.
• We are enhancing our technical safeguards, including multi-factor authentication and continuous network monitoring.
• At no cost to you, we are providing 24 months of identity-theft protection and credit-monitoring services through [SERVICE PROVIDER], which includes $1 million in identity-theft insurance and fraud-resolution assistance. To enroll, visit [URL] or call [PHONE] and use Activation Code: [CODE] by [ENROLLMENT DEADLINE].
What You Can Do
We encourage you to remain vigilant by reviewing account statements, monitoring free credit reports, and promptly reporting any suspicious activity. You may place a fraud alert or security freeze on your credit files at no charge. Contact details for the major credit reporting agencies and the Federal Trade Commission appear in Annex C.
For More Information
If you have questions, please call [TOLL-FREE NUMBER] Monday through Friday between [HOURS], or e-mail us at [EMAIL].
We regret any inconvenience or concern this incident may cause and remain committed to protecting your information.
Sincerely,
[NAME]
[TITLE]
[COMPANY LEGAL NAME]
ANNEX C
CREDIT BUREAU & FTC CONTACT INFORMATION
[// GUIDANCE: These addresses rarely change, but verify before mailing.]
• Equifax — P.O. Box 105788, Atlanta, GA 30348-5788 | 800-349-9960
• Experian — P.O. Box 9554, Allen, TX 75013 | 888-397-3742
• TransUnion — P.O. Box 2000, Chester, PA 19016-2000 | 800-680-7289
• Federal Trade Commission — 600 Pennsylvania Avenue NW, Washington, DC 20580 | 877-438-4338 | www.identitytheft.gov
[// GUIDANCE: After customizing and executing this Package, retain a signed copy in the Company’s compliance files and upload the AG notice through the Connecticut AG breach-reporting portal if required. Prior to mailing, confirm that no law-enforcement delay is outstanding and that all timing requirements under Conn. Gen. Stat. § 36a-701b are satisfied.]