STATE OF GEORGIA

PERSONAL DATA BREACH NOTIFICATION LETTER

(Template – For Immediate Customization and Issuance)

[// GUIDANCE: This template contains two coordinated letters. “Part I” is the letter to the Georgia Attorney General (recommended although not expressly mandated under current Georgia law; the user has requested AG notification). “Part II” is the consumer-facing notification required by O.C.G.A. § 10-1-912. Delete any inapplicable paragraphs and complete all [PLACEHOLDER] fields before release. Send each letter on the organization’s letterhead and via an appropriate delivery method (e.g., overnight courier or first-class mail for consumers; electronic submission if the AG implements an online portal).]

TABLE OF CONTENTS

1. Part I – Attorney General Notification Letter
2. Document Header
3. Narrative of the Incident
4. Scope of Affected Georgia Residents
5. Information Categories Compromised
6. Remediation Measures Implemented
7. Consumer Notification Plan & Timing
8. Law-Enforcement Coordination
9. Statutory Basis and Compliance Statement
10. Contact for Follow-Up
11. Part II – Consumer Notification Letter
12. Document Header
13. What Happened
14. What Information Was Involved
15. What We Are Doing
16. What You Can Do
17. Other Important Information
18. How to Contact Us
19. Exhibit A – Complimentary Credit Monitoring Enrollment Instructions (optional)

PART I – ATTORNEY GENERAL NOTIFICATION LETTER

(To: Attorney General of the State of Georgia)

1. Document Header

Date: [DATE]

Via [DELIVERY METHOD]

Office of the Attorney General
State of Georgia
ATTN: Consumer Protection Division
40 Capitol Square, S.W.
Atlanta, Georgia 30334

Re: Notice of Data Breach Affecting Georgia Residents – [ORGANIZATION LEGAL NAME]

2. Narrative of the Incident

Pursuant to O.C.G.A. § 10-1-912 and applicable best-practice guidelines, [ORGANIZATION LEGAL NAME] (the “Company”) hereby notifies the Office of the Attorney General of an incident involving the unauthorized acquisition of unencrypted personal information of certain Georgia residents.

On [DETECTION DATE], the Company discovered evidence of unauthorized access to its [SYSTEM/DATABASE] that initially occurred on or about [INCIDENT WINDOW]. Immediately upon discovery, the Company initiated its incident-response plan, engaged forensic investigators, and contained the intrusion on [CONTAINMENT DATE]. The investigation concluded on [INVESTIGATION END DATE] and confirmed that specific personal information, as defined under O.C.G.A. § 10-1-911(6), was accessed and exfiltrated.

3. Scope of Affected Georgia Residents

Total Georgia residents impacted: approximately [NUMBER] individuals.
[// GUIDANCE: If >10,000 GA residents are affected, a simultaneous notice to the nationwide CRAs is required under O.C.G.A. § 10-1-912(b).]

4. Information Categories Compromised

The compromised data elements vary by individual and may include one or more of the following:
• Full name
• Social Security number
• Driver’s license or state identification number
• Financial account number in combination with any required access code, PIN, or password
• [ADDITIONAL CATEGORIES]

5. Remediation Measures Implemented

1. Network containment and password resets completed on [DATE].
2. Engaged third-party cybersecurity specialists to conduct a forensic investigation and bolster perimeter defenses.
3. Implemented multi-factor authentication organization-wide.
4. Offered impacted individuals [NUMBER] months of complimentary credit monitoring and identity-theft protection services through [SERVICE PROVIDER].

6. Consumer Notification Plan & Timing

• Method: Written notice via first-class mail (and e-mail where available).
• Commencement Date: No later than [DATE] (within the “most expedient time possible and without unreasonable delay,” consistent with O.C.G.A. § 10-1-912(a)).
• Content: Conforms to O.C.G.A. § 10-1-912(c) and industry standards (see Part II).

7. Law-Enforcement Coordination

On [LAW-ENFORCEMENT NOTIFICATION DATE], the Company notified [LAW-ENFORCEMENT AGENCY] and has deferred to their guidance to avoid compromising the ongoing investigation.

8. Statutory Basis and Compliance Statement

This notice is provided in good-faith compliance with Georgia’s data-breach notification statute, O.C.G.A. §§ 10-1-910 et seq. The Company will maintain relevant records for a minimum of five (5) years and will promptly supplement this submission if new material facts emerge.

9. Contact for Follow-Up

Primary Contact: [NAME, TITLE]
Address: [STREET ADDRESS]
Phone: [DIRECT LINE]
E-mail: [EMAIL ADDRESS]

Respectfully submitted,

[AUTHORIZED SIGNATORY NAME]
[TITLE]
[ORGANIZATION LEGAL NAME]

PART II – CONSUMER NOTIFICATION LETTER

(To: Affected Georgia Resident)

[ORGANIZATION LETTERHEAD]
[DATE]

Dear [CONSUMER NAME],

1. What Happened

We are writing to inform you of a data security incident that may have involved your personal information. On [DETECTION DATE], we discovered that an unauthorized party gained access to our [SYSTEM/DATABASE]. Our investigation determined that the unauthorized access occurred between [INCIDENT WINDOW].

2. What Information Was Involved

The personal information involved may have included some or all of the following:
• [LIST SPECIFIC DATA ELEMENTS]

Please note that not every data element was involved for every individual.

3. What We Are Doing

• Immediately secured the affected systems and engaged leading cybersecurity experts.
• Notified federal and state law-enforcement authorities.
• Enhanced our security controls, including multi-factor authentication and network segmentation.
• Arranged for you to receive [NUMBER] months of complimentary credit monitoring and identity-theft protection through [SERVICE PROVIDER]. Instructions for enrollment are provided in Exhibit A.

4. What You Can Do

We encourage you to take the following precautions:
1. Enroll in the complimentary credit-monitoring service.
2. Review your account statements and credit reports for suspicious activity.
3. Consider placing a fraud alert or security freeze on your credit file.
4. Remain vigilant and promptly report any suspected identity theft to the FTC, your local law enforcement agency, and the Company.

Contact information for the nationwide consumer reporting agencies is included below:
• Equifax: 1-800-685-1111 | www.equifax.com
• Experian: 1-888-397-3742 | www.experian.com
• TransUnion: 1-800-680-7289 | www.transunion.com

5. Other Important Information

Under federal law you are entitled to one free credit report annually from each of the three major nationwide credit reporting agencies. To order, visit www.annualcreditreport.com or call 1-877-322-8228.

6. How to Contact Us

If you have questions, please contact our dedicated response line at [TOLL-FREE NUMBER] between [HOURS OF OPERATION], or e-mail us at [EMAIL ADDRESS].

We regret any inconvenience or concern this incident may cause you and are committed to protecting your information.

Sincerely,

[AUTHORIZED SIGNATORY NAME]
[TITLE]
[ORGANIZATION LEGAL NAME]

EXHIBIT A

Credit Monitoring & Identity-Theft Protection Enrollment Instructions

[// GUIDANCE: Insert step-by-step enrollment instructions provided by the service vendor, including any unique activation code, deadline for enrollment (typically 90 days from letter date), and coverage summary.]

LEGAL NOTICES & DISCLAIMERS

[// GUIDANCE: The following provisions are defensive drafting elements designed to mitigate residual liability exposure. Retain or adapt as appropriate.]

1. No Admission. This correspondence is provided in compliance with O.C.G.A. § 10-1-912 and is not, and shall not be construed as, an admission of liability, wrongdoing, or violation of law.
2. Reservation of Rights. The Company expressly reserves all legal rights and defenses available under applicable law.
3. Confidentiality. To the extent permitted by law, the contents of Part I are submitted on a confidential basis and shall not be disclosed beyond the Office of the Attorney General except as may be required by law.

[// GUIDANCE: End of template. Confirm all cross-references, bracketed placeholders, and dates before issuance. Maintain an internal incident file containing (i) forensic reports, (ii) copies of all notifications, and (iii) proof of mailing for statutory record-keeping purposes.]