Template – Idaho Data Breach Notification Package
(Prepared for compliance with Idaho Code § 28-51-105 and related federal consumer-reporting notice triggers)
[// GUIDANCE: This package provides two coordinated notices—one to the Idaho Office of the Attorney General (“AG Notice”) and one to impacted consumers (“Consumer Notice”). Complete both documents to satisfy Idaho’s breach-notification framework. Bracketed text indicates required customization. Do not omit the timing footers—they evidence statutory compliance (45-day outside limit).]
TABLE OF CONTENTS
- AG NOTICE
1.1 Document Header
1.2 Incident Summary
1.3 Scope of Impact
1.4 Remediation & Mitigation
1.5 Consumer Notification Plan
1.6 Contact Information - CONSUMER NOTICE
2.1 Letter Header
2.2 What Happened
2.3 What Information Was Involved
2.4 What We Are Doing
2.5 What You Can Do
2.6 For More Information - EXHIBIT A – OPTIONAL CREDIT-MONITORING ENROLLMENT TERMS
1. AG NOTICE
1.1 Document Header
[COMPANY LETTERHEAD]
Date: [MM/DD/YYYY]
Via [Certified Mail / Courier / Secure E-Mail]
Hon. [Full Name], Consumer Protection Division
Office of the Attorney General, State of Idaho
700 W. Jefferson St., P.O. Box 83720
Boise, ID 83720-0010
Re: Notice of Data Security Breach Pursuant to Idaho Code § 28-51-105
1.2 Incident Summary
• Breach Determination Date: [MM/DD/YYYY]
• Breach Discovery Date: [MM/DD/YYYY]
• Breach Window (if known): [MM/DD/YYYY – MM/DD/YYYY]
• Incident Vector: [e.g., Phishing, Ransomware, Third-Party Vendor]
• Systems Affected: [General Description]
[// GUIDANCE: “Determination” is the date the company could reasonably conclude a breach occurred. Idaho’s 45-day clock runs from this date.]
1.3 Scope of Impact
• Total Idaho Residents Impacted: [###]
• Total U.S. Residents Impacted: [###]
• Personal Information (“PI”) Types Exposed:
– [Full Name]
– [Social Security Number]
– [Driver’s License / State ID Number]
– [Financial Account / Payment Card]
– [Medical Information]
• Idaho Consumer-Reporting Agency Notice: [Yes/No]
– Triggered because affected persons > 1,000? [Yes/No]
1.4 Remediation & Mitigation
• Containment Measures Implemented:
– [System Isolation; Password Resets; Patch Deployment]
• Law-Enforcement Notification:
– Contacted [Agency, Case #], on [MM/DD/YYYY]
• Future Safeguards:
– [MFA Rollout, Enhanced Logging, Vendor Re-Assessment]
• Offered Services: [12/24/36] months of credit monitoring & ID theft protection via [Provider]
1.5 Consumer Notification Plan
• Notice Method(s): [First-Class Mail / E-Mail / Substitute Notice]
• First Mailed/E-Mailed On or Before: [MM/DD/YYYY] (≤ 45 days from determination)
• Sample Consumer Notice: See Section 2 of this Package
1.6 Contact Information
Company Contact: [Name, Title]
Address: [Street, City, State, ZIP]
Telephone: [(###) ###-####]
E-Mail: [[email protected]]
Respectfully submitted,
[AUTHORIZED SIGNATORY]
[Name], [Title]
[Company Legal Name]
[// GUIDANCE: Keep an executed copy with delivery proof for statutory record-keeping.]
2. CONSUMER NOTICE
(Idaho residents – personalize for each recipient)
2.1 Letter Header
[COMPANY LETTERHEAD]
[Date]
[Recipient Name]
[Address]
City, State ZIP
2.2 What Happened
On [Determination Date], we confirmed that an unauthorized actor gained access to certain [Company] systems between [Breach Window]. We discovered the incident on [Discovery Date] and immediately initiated an investigation, secured our environment, and engaged leading cybersecurity experts.
2.3 What Information Was Involved
The investigation determined that the following types of your personal information may have been exposed:
• [☐ Full Name]
• [☐ Social Security Number]
• [☐ Driver’s License or State Identification Number]
• [☐ Financial Account / Payment Card Information]
• [☐ Medical or Health Insurance Information]
At this time, we have no evidence that your information has been misused; however, we are notifying you so that you can take proactive steps to protect yourself.
2.4 What We Are Doing
- We contained the incident, eradicated the threat, and are strengthening our security controls (including multifactor authentication, advanced endpoint monitoring, and employee training).
- We have reported the breach to the Idaho Attorney General and, where required, federal consumer-reporting agencies.
- We are offering you [12/24/36] months of complimentary credit monitoring and identity-theft protection through [Provider]. See the enclosed Exhibit A for enrollment instructions and key terms.
2.5 What You Can Do
We strongly encourage you to:
• Enroll in the complimentary credit-monitoring service by [Enrollment Deadline].
• Review the enclosed “Fraud Prevention Tips,” which includes how to place a fraud alert or security freeze on your credit files at no cost.
• Remain vigilant by reviewing account statements and monitoring free credit reports for suspicious activity.
• Immediately report any suspected identity theft to law enforcement, the Idaho Attorney General, and the Federal Trade Commission at IdentityTheft.gov.
2.6 For More Information
If you have questions, please contact our dedicated response line at [(###) ###-####], Monday through Friday, [8:00 a.m.–8:00 p.m.] Mountain Time, or email us at [[email protected]].
We regret any inconvenience this incident may cause and remain committed to safeguarding your personal information.
Sincerely,
[AUTHORIZED SIGNATORY]
[Name], [Title]
[Company Legal Name]
3. EXHIBIT A – OPTIONAL CREDIT-MONITORING ENROLLMENT TERMS
[// GUIDANCE: Insert the vendor’s standard enrollment language, unique activation code fields, and statutory credit-freeze instructions. Include FCRA Summary of Rights if >1,000 consumers nationwide.]
STATUTORY TIMING FOOTER
Notice provided on: [MM/DD/YYYY]
45-day statutory deadline under Idaho Code § 28-51-105: [MM/DD/YYYY]
(This footer should remain in final copies for defensibility.)
[// GUIDANCE: After customization, convert to PDF on company letterhead. Retain evidence of mailing/e-mailing, AG delivery receipt, CRA notifications, and a copy of all materials shipped to consumers. Maintain breach file for at least five (5) years in accordance with generally accepted record-retention policies.]