State Data Breach Notification Letter

Kentucky Data Breach Notification Packet

(KRS § 365.732 – Security Breach of Personal Information)

TABLE OF CONTENTS

1. KY-AG COVER LETTER
2. CONSUMER NOTIFICATION LETTER (Kentucky Residents)
3. OPTIONAL EXHIBITS
    A. Incident Timeline
    B. Call-Center/FAQ Script
    C. Identity-Theft Protection Enrollment Instructions

1. KY-AG COVER LETTER

[LETTERHEAD OF THE DATA HOLDER]
[Street Address] • [City, State ZIP] • [Telephone] • [Email]

[Date]

By Certified Mail, Return Receipt Requested
AND Electronic Submission (ag.ky.gov Data Breach Portal*)

Office of the Attorney General
Commonwealth of Kentucky
Consumer Protection Division
1024 Capital Center Drive, Suite 200
Frankfort, Kentucky 40601

Re: Security Breach Notification – KRS § 365.732; [Company Name] Incident Reference No. [___]

Dear Attorney General [Name]:

1. Identity of the Data Holder
    [Company Legal Name], a [State] [entity type] (“Company”), with principal business address at ☐, writes to notify the Office of the Attorney General of a security breach involving personal information of Kentucky residents.

2. Statutory Authority
    Pursuant to KRS § 365.732(2) and in furtherance of best practices endorsed by your Office, Company provides the following information. Although Kentucky law does not presently mandate Attorney General notice, Company elects to do so in the spirit of cooperation and transparency.

3. Incident Description
    • Date(s) of Breach: [___]
    • Date Discovered: [___]
    • Systems Affected: [___]
    • Number of Kentucky Residents Potentially Impacted: [EST. COUNT]
    • Nature of Unauthorized Access: [e.g., ransomware, phishing, credential-stuffing]
    • Types of Personal Information Involved (as defined in KRS § 365.732(1)(a)):
     – [Social Security numbers]
     – [Driver’s license / State ID numbers]
     – [Financial account numbers + access codes]

4. Remediation Measures
    Immediately upon discovery, Company:
    a. Contained and eradicated malicious code;
    b. Engaged independent cybersecurity forensics (Vendor: [Name]);
    c. Reset credentials and enhanced multi-factor authentication;
    d. Notified federal law-enforcement (FBI IC3 submission #☐); and
    e. Implemented continuous monitoring and logging upgrades.

5. Consumer Notification & Timing
    • Notification Method(s): First-class mail and dedicated secure portal.
    • Notification Date(s): On or before [DATE – must be “in the most expedient time possible and without unreasonable delay,” KRS § 365.732(2)].
    • Samples: Enclosed as Exhibit 1.
    • Identity-Theft Services: [12/24]-month complimentary credit monitoring via [Vendor].
    • Call Center: Toll-free (###) ###-#### staffed from [HOURS] through at least [DURATION].

6. Additional Notices
    Because the incident exceeds 1,000 affected persons nationwide, Company is also providing notice to the nationwide consumer reporting agencies in accordance with KRS § 365.732(3).

7. Point of Contact
    Please contact [Name, Title] at (###) ###-#### or [email] for questions.

Respectfully submitted,

[Signature]
[Typed Name]
[Title]
[Company Legal Name]

Enclosures:
• Exhibit 1 – Sample Kentucky Resident Notice
• Exhibit 2 – Incident Timeline (CONFIDENTIAL)

2. CONSUMER NOTIFICATION LETTER

(Kentucky Residents – First-Class Mail)

[CONSUMER NAME]
[Address]
[City, State ZIP]

[Date]

NOTICE OF DATA BREACH

Dear [Mr./Ms.] [Last Name]:

1. What Happened?
    On [DATE DISCOVERED], we detected unauthorized access to certain [Company] computer systems. A forensic investigation determined that, between [INCIDENT WINDOW], an unauthorized actor [exfiltrated/viewed] files containing some of your personal information.

2. What Information Was Involved?
    The data may have included your:
    • [Social Security number];
    • [Driver’s license or state identification number]; and/or
    • [Financial account number + access code].
    No passwords or biometric data were involved.

3. What We Are Doing.
    • Secured our network, implemented multi-factor authentication, and enhanced monitoring.
    • Notified federal law-enforcement and the Kentucky Office of the Attorney General.
    • Arranged for [12/24] months of complimentary [credit monitoring/identity theft protection] through [Vendor], including $1 million identity-theft insurance.* Instructions are enclosed (see “How to Enroll”).

4. What You Can Do.
    We urge you to:
    a. Enroll in the free services by [ENROLLMENT DEADLINE].
    b. Review account statements and credit reports for suspicious activity.
    c. Consider placing a fraud alert or security freeze. Contact information for the nationwide consumer reporting agencies appears below.

• Equifax – (888) 766-0008 • Experian – (888) 397-3742 • TransUnion – (800) 680-7289

5. More Information.
    If you have questions, please call our dedicated toll-free line at (###) ###-#### (Mon–Fri, [HOURS]), email [EMAIL], or write to [ADDRESS]. Additional resources on identity theft are available from the Federal Trade Commission at www.identitytheft.gov and the Kentucky Office of the Attorney General at ag.ky.gov.

We sincerely regret any inconvenience this incident may cause and appreciate your trust.

Sincerely,

[Signature Image]
[Typed Name]
[Title]
[Company Name]

Enclosures:
• How to Enroll in Complimentary Identity-Theft Protection
• FTC “Identity Theft — A Recovery Plan” Brochure

3. OPTIONAL EXHIBITS (FOR INTERNAL USE / AG SUBMISSION)

A. Incident Timeline
B. Call-Center/FAQ Script
C. Identity-Theft Protection Enrollment Instructions

IMPORTANT COMPLIANCE NOTES

1. Timing: KRS § 365.732 requires consumer notice “in the most expedient time possible and without unreasonable delay,” subject to law-enforcement and system-integrity exceptions.
2. Content: While Kentucky law does not mandate specific content, regulators expect the elements set forth above (incident description, data types, remediation, consumer actions, contact details).
3. Consumer Reporting Agencies: If ≥1,000 individuals nationwide are notified, simultaneous notice to Equifax, Experian, and TransUnion is mandatory (KRS § 365.732(3)).
4. Record Retention: Maintain evidence of notification, mailing lists, and returned mail for at least five (5) years.
5. Multi-State Incidents: Coordinate with counsel to harmonize conflicting state requirements; do not delay Kentucky notice to achieve a consolidated multi-state mailing.

* If electronic submission is unavailable, transmit via certified mail only.
** Identity-theft insurance is governed by the insurer’s policy terms and conditions.

[End of Kentucky Data Breach Notification Packet]