DISTRICT OF COLUMBIA

DATA BREACH NOTIFICATION LETTER TEMPLATE

(Prepared for compliance with the District of Columbia Security Breach Protection Act, D.C. Code § 28-3851 et seq.)

[// GUIDANCE: This template contains two parts—(i) mandatory notice to the D.C. Office of the Attorney General (“OAG”) and (ii) the consumer-facing notice required to be provided to each affected District resident. Customize all bracketed fields, verify facts, and consult with incident-response counsel prior to issuance.]

TABLE OF CONTENTS

1. Attorney General Notice
2. Exhibit A – Consumer Notice (Resident Letter)
3. Exhibit B – Identity Theft & Credit Monitoring Service Instructions (include only if required)

1. ATTORNEY GENERAL NOTICE

(Deliver via certified mail, overnight courier, or the OAG’s electronic portal, at least ten (10) days before, or simultaneously with, consumer notice.)

[COMPANY LETTERHEAD]
[PHYSICAL ADDRESS] | [PHONE] | [EMAIL]

DATE: [MM/DD/YYYY]

VIA: [Certified Mail / Overnight Courier / OAG Portal]

Office of the Attorney General for the District of Columbia
Consumer Protection Section
400 Sixth Street NW
Washington, DC 20001

RE: Notice of Security Breach – [COMPANY LEGAL NAME]
(pursuant to D.C. Code § 28-3851 et seq.)

A. Identity of the Covered Entity

1. Legal Name: [COMPANY LEGAL NAME]
2. Trade/DBA Names (if any): [DBA]
3. Principal Address: [ADDRESS]
4. Point of Contact Regarding Breach:
   • Name/Title: [NAME, TITLE]
   • Telephone: [###-###-####]
   • Email: [EMAIL]

B. Incident Overview

1. Date(s) of Breach: [MM/DD/YYYY–MM/DD/YYYY]
2. Date Discovered: [MM/DD/YYYY]
3. Systems Affected: [High-level description]
4. Description of the Breach: [Concise factual narrative; avoid privileged conclusions]

C. Personal Information Involved

Total number of District residents affected (reasonably known): [###]

[// GUIDANCE: If > 50,000 District residents are affected, extended credit-monitoring (24 months) is required.]

D. Containment & Remediation Actions

1. Date access terminated or vulnerability fixed: [DATE]
2. Steps taken to secure systems: [BULLETED LIST]
3. Third-party forensic firm engaged: [NAME] (engagement date [DATE])
4. Law-enforcement contact (if any): [AGENCY, CONTACT, DATE]
   • Is delayed notice requested by law enforcement? [Yes/No] (Attach written request if “Yes”)

E. Consumer Notification Plan

1. Planned Notice Date to Residents: [DATE] (within 45 days of discovery)
2. Method(s): [First-class mail / Email with active consent / Substitute notice*]
3. If substitute notice: describe reason and method (≥ 100k persons or cost > $50,000)
4. Sample Consumer Notice: Attached as Exhibit A
5. Identity-theft protection/credit-monitoring services: [Provider Name], [18 or 24]-month term (details in Exhibit B)

F. Contact for Follow-Up

For additional information, please contact the undersigned.

Respectfully submitted,

[AUTHORIZED SIGNATORY NAME]
[Title]
[COMPANY LEGAL NAME]
[PHONE] | [EMAIL]

EXHIBIT A

SAMPLE CONSUMER NOTICE – DISTRICT OF COLUMBIA RESIDENT

NOTICE OF DATA SECURITY INCIDENT
[COMPANY LOGO]

Dear [NAME] (or “Dear Parent/Legal Guardian” for minors):

1. What Happened?

On [DATE], we discovered unauthorized access to certain [COMPANY] systems. Our investigation, concluded on [DATE], determined that from [START DATE] to [END DATE] an unauthorized actor may have obtained certain files containing your personal information.

2. What Information Was Involved?

Based on our review, the following information related to you may have been involved: [LIST CATEGORIES – e.g., full name and Social Security number]. We have no evidence of misuse of your information at this time.

3. What We Are Doing

• Immediately contained the incident and engaged leading cybersecurity experts.
• Notified law enforcement.
• Enhanced network monitoring, access controls, and employee security training.
• Identity-Theft & Credit-Monitoring Services: Because your [Social Security number / driver’s license number] was potentially involved, we are offering you [18 or 24] months of complimentary identity-theft protection and credit-monitoring services through [SERVICE PROVIDER]. These services include fraud resolution support and a $1 million insurance reimbursement policy. See Exhibit B for enrollment instructions.

4. What You Can Do

We encourage you to:
1. Enroll in the complimentary services no later than [ENROLLMENT DEADLINE].
2. Review your account statements and credit reports.
3. Consider placing a fraud alert or security freeze.
4. Remain vigilant and report any suspected identity theft.

We have included contact information for the three nationwide consumer reporting agencies, the Federal Trade Commission (“FTC”), and the District of Columbia Office of the Attorney General.

5. For More Information

If you have questions, please contact our dedicated assistance line at [###-###-####] (Monday–Friday, [HOURS EST]), email [EMAIL], or write to [ADDRESS].

We regret any concern or inconvenience this incident may cause and remain committed to safeguarding your information.

Sincerely,

[AUTHORIZED SIGNATORY NAME]
[Title]
[COMPANY LEGAL NAME]

EXHIBIT B

CREDIT-MONITORING & IDENTITY-THEFT PROTECTION INSTRUCTIONS

[// GUIDANCE: Insert the enrollment code process, service description, and key terms supplied by the vendor. Ensure service duration complies with D.C. Code § 28-3851(e)(2)(A).]

KEY COMPLIANCE CHECKLIST (Do Not Send)

[// GUIDANCE: Internal use—remove before sending final notice]
☐ Notice to DC OAG at least 10 days prior to consumer notice
☐ Consumer notices sent within 45 days of discovery
☐ 18-month (or 24-month) credit-monitoring if SSNs or driver’s license numbers affected
☐ Content includes incident description, info categories, remediation steps, consumer steps, contact info, and FTC/OAG resources
☐ Substitute notice only if statutory thresholds met
☐ Law-enforcement delay documented (if applicable)
☐ Maintain breach file for 3 years

© 20[YY] [COMPANY LEGAL NAME]. All rights reserved.