State Data Breach Notification Letter

STATE OF GEORGIA

PERSONAL DATA BREACH NOTIFICATION LETTER

(Template – For Immediate Customization and Issuance)

TABLE OF CONTENTS

1. Part I – Attorney General Notification Letter
2. Document Header
3. Narrative of the Incident
4. Scope of Affected Georgia Residents
5. Information Categories Compromised
6. Remediation Measures Implemented
7. Consumer Notification Plan & Timing
8. Law-Enforcement Coordination
9. Statutory Basis and Compliance Statement
10. Contact for Follow-Up
11. Part II – Consumer Notification Letter
12. Document Header
13. What Happened
14. What Information Was Involved
15. What We Are Doing
16. What You Can Do
17. Other Important Information
18. How to Contact Us
19. Exhibit A – Complimentary Credit Monitoring Enrollment Instructions (optional)

PART I – ATTORNEY GENERAL NOTIFICATION LETTER

(To: Attorney General of the State of Georgia)

1. Document Header

Date: [DATE]

Via [DELIVERY METHOD]

Office of the Attorney General
State of Georgia
ATTN: Consumer Protection Division
40 Capitol Square, S.W.
Atlanta, Georgia 30334

Re: Notice of Data Breach Affecting Georgia Residents – [ORGANIZATION LEGAL NAME]

2. Narrative of the Incident

Pursuant to O.C.G.A. § 10-1-912 and applicable best-practice guidelines, [ORGANIZATION LEGAL NAME] (the “Company”) hereby notifies the Office of the Attorney General of an incident involving the unauthorized acquisition of unencrypted personal information of certain Georgia residents.

On [DETECTION DATE], the Company discovered evidence of unauthorized access to its [SYSTEM/DATABASE] that initially occurred on or about [INCIDENT WINDOW]. Immediately upon discovery, the Company initiated its incident-response plan, engaged forensic investigators, and contained the intrusion on [CONTAINMENT DATE]. The investigation concluded on [INVESTIGATION END DATE] and confirmed that specific personal information, as defined under O.C.G.A. § 10-1-911(6), was accessed and exfiltrated.

3. Scope of Affected Georgia Residents

Total Georgia residents impacted: approximately [NUMBER] individuals.

4. Information Categories Compromised

The compromised data elements vary by individual and may include one or more of the following:
• Full name
• Social Security number
• Driver’s license or state identification number
• Financial account number in combination with any required access code, PIN, or password
• [ADDITIONAL CATEGORIES]

5. Remediation Measures Implemented

1. Network containment and password resets completed on [DATE].
2. Engaged third-party cybersecurity specialists to conduct a forensic investigation and bolster perimeter defenses.
3. Implemented multi-factor authentication organization-wide.
4. Offered impacted individuals [NUMBER] months of complimentary credit monitoring and identity-theft protection services through [SERVICE PROVIDER].

6. Consumer Notification Plan & Timing

• Method: Written notice via first-class mail (and e-mail where available).
• Commencement Date: No later than [DATE] (within the “most expedient time possible and without unreasonable delay,” consistent with O.C.G.A. § 10-1-912(a)).
• Content: Conforms to O.C.G.A. § 10-1-912(c) and industry standards (see Part II).

7. Law-Enforcement Coordination

On [LAW-ENFORCEMENT NOTIFICATION DATE], the Company notified [LAW-ENFORCEMENT AGENCY] and has deferred to their guidance to avoid compromising the ongoing investigation.

8. Statutory Basis and Compliance Statement

This notice is provided in good-faith compliance with Georgia’s data-breach notification statute, O.C.G.A. §§ 10-1-910 et seq. The Company will maintain relevant records for a minimum of five (5) years and will promptly supplement this submission if new material facts emerge.

9. Contact for Follow-Up

Primary Contact: [NAME, TITLE]
Address: [STREET ADDRESS]
Phone: [DIRECT LINE]
E-mail: [EMAIL ADDRESS]

Respectfully submitted,

[AUTHORIZED SIGNATORY NAME]
[TITLE]
[ORGANIZATION LEGAL NAME]

PART II – CONSUMER NOTIFICATION LETTER

(To: Affected Georgia Resident)

[ORGANIZATION LETTERHEAD]
[DATE]

Dear [CONSUMER NAME],

1. What Happened

We are writing to inform you of a data security incident that may have involved your personal information. On [DETECTION DATE], we discovered that an unauthorized party gained access to our [SYSTEM/DATABASE]. Our investigation determined that the unauthorized access occurred between [INCIDENT WINDOW].

2. What Information Was Involved

The personal information involved may have included some or all of the following:
• [LIST SPECIFIC DATA ELEMENTS]

Please note that not every data element was involved for every individual.

3. What We Are Doing

• Immediately secured the affected systems and engaged leading cybersecurity experts.
• Notified federal and state law-enforcement authorities.
• Enhanced our security controls, including multi-factor authentication and network segmentation.
• Arranged for you to receive [NUMBER] months of complimentary credit monitoring and identity-theft protection through [SERVICE PROVIDER]. Instructions for enrollment are provided in Exhibit A.

4. What You Can Do

We encourage you to take the following precautions:

1. Enroll in the complimentary credit-monitoring service.
2. Review your account statements and credit reports for suspicious activity.
3. Consider placing a fraud alert or security freeze on your credit file.
4. Remain vigilant and promptly report any suspected identity theft to the FTC, your local law enforcement agency, and the Company.

Contact information for the nationwide consumer reporting agencies is included below:
• Equifax: 1-800-685-1111 | www.equifax.com
• Experian: 1-888-397-3742 | www.experian.com
• TransUnion: 1-800-680-7289 | www.transunion.com

5. Other Important Information

Under federal law you are entitled to one free credit report annually from each of the three major nationwide credit reporting agencies. To order, visit www.annualcreditreport.com or call 1-877-322-8228.

6. How to Contact Us

If you have questions, please contact our dedicated response line at [TOLL-FREE NUMBER] between [HOURS OF OPERATION], or e-mail us at [EMAIL ADDRESS].

We regret any inconvenience or concern this incident may cause you and are committed to protecting your information.

Sincerely,

[AUTHORIZED SIGNATORY NAME]
[TITLE]
[ORGANIZATION LEGAL NAME]

EXHIBIT A

Credit Monitoring & Identity-Theft Protection Enrollment Instructions

LEGAL NOTICES & DISCLAIMERS

1. No Admission. This correspondence is provided in compliance with O.C.G.A. § 10-1-912 and is not, and shall not be construed as, an admission of liability, wrongdoing, or violation of law.
2. Reservation of Rights. The Company expressly reserves all legal rights and defenses available under applicable law.
3. Confidentiality. To the extent permitted by law, the contents of Part I are submitted on a confidential basis and shall not be disclosed beyond the Office of the Attorney General except as may be required by law.