MARYLAND SECURITY BREACH NOTIFICATION PACKAGE

(Attorney General Notice & Model Consumer Letter)

[// GUIDANCE: This package contains (i) a cover letter to the Maryland Office of the Attorney General (“OAG”) and (ii) the statutorily compliant model notice to affected Maryland residents. Both documents assume the breach involves computerized “Personal Information” as defined in Md. Code Ann., Com. Law § 14-3501(b) and that no law-enforcement delay applies. Delete all bracketed guidance and placeholders before issuance.]

TABLE OF CONTENTS

1. Definitions
2. OAG Cover Letter Template
3. Attachment A – Model Consumer Notice

1. DEFINITIONS

For ease of internal drafting, the following capitalized terms are used throughout this template. Replace or delete the Definitions section prior to delivery.

“Breach Date” – The date on which [COMPANY] discovered or reasonably should have discovered the Security Breach.

“Company” – [LEGAL NAME OF BUSINESS ENTITY PROVIDING NOTICE].

“OAG” – The Maryland Office of the Attorney General, Attn: Security Breach Notices, 200 St. Paul Place, Baltimore, MD 21202.

“Personal Information” – The data elements listed in Md. Code Ann., Com. Law § 14-3501(b), when unencrypted or when the encryption key has been compromised.

“Security Breach” – The unauthorized acquisition of Personal Information that compromises the security, confidentiality, or integrity of that information, as described in Md. Code Ann., Com. Law § 14-3504(b).

2. OAG COVER LETTER TEMPLATE

[COMPANY LETTERHEAD]
[PHYSICAL ADDRESS • PHONE • EMAIL]

[DATE]

VIA EMAIL ([email protected]) AND U.S. MAIL
Office of the Attorney General
Attn: Security Breach Notices
200 St. Paul Place
Baltimore, Maryland 21202

Re: Notice of Security Breach Pursuant to Md. Code Ann., Com. Law § 14-3504

Dear Sir or Madam:

In accordance with Md. Code Ann., Com. Law § 14-3504(e), [COMPANY] hereby provides notice of a Security Breach involving Personal Information of Maryland residents.

1. Company Information
   • Legal Name: [COMPANY]
   • Trade Name(s): [DBA, if any]
   • Type of Entity: [Corporation/LLC/etc.], organized under the laws of [STATE]
   • Point of Contact for AG: [NAME, TITLE, EMAIL, DIRECT PHONE]

2. Nature of the Security Breach
   • Date(s) of Breach: [MM/DD/YYYY – MM/DD/YYYY]
   • Breach Discovery Date (“Breach Date”): [MM/DD/YYYY]
   • Incident Description: [High-level description of how the unauthorized access occurred without revealing exploitable details.]
   • Categories of Personal Information Affected: [Example: Social Security numbers; driver’s license numbers; financial account numbers in combination with security codes; medical information; etc.]

3. Number of Maryland Residents Affected
   [#####] Maryland residents are reasonably believed to have been affected.
   [// GUIDANCE: If the total is not yet known, provide a good-faith estimate and indicate the investigation is ongoing.]

4. Timing of Consumer Notice
   Consistent with the 45-day deadline in Md. Code Ann., Com. Law § 14-3504(d)(1), individual notices will be disseminated (or were disseminated) on [MM/DD/YYYY], contemporaneously with this submission.

5. Steps Taken or Planned
   • Containment and eradication measures: [BRIEF DESCRIPTION]
   • Password resets, system hardening, and third-party forensic investigation.
   • Complimentary [##]-month credit monitoring and identity theft protection for affected individuals.
   • Enhanced employee security awareness training.

6. Sample Consumer Notice
   A copy of the exact notice being sent to affected Maryland residents is attached hereto as Attachment A.

7. Law-Enforcement Involvement
   [If applicable] We notified [LAW-ENFORCEMENT AGENCY] on [MM/DD/YYYY]. The agency has advised that disclosure to affected individuals will not impede its investigation.

Please direct any questions to the undersigned.

Sincerely,

[NAME]
[TITLE]
[COMPANY]
[PHONE] • [EMAIL]

Encl.: Attachment A – Consumer Notice

3. ATTACHMENT A – MODEL CONSUMER NOTICE

[COMPANY LETTERHEAD]

[DATE]

Subject: Important Notice of Data Breach

Dear [FIRST NAME LAST NAME],

[COMPANY] values the privacy of your personal information. We are writing to notify you of a security incident that may have involved your Personal Information. This notice is being provided in compliance with the Maryland Personal Information Protection Act, Md. Code Ann., Com. Law § 14-3504.

1. What Happened?
   On [Breach Date], we discovered unauthorized access to certain [COMPANY] systems. Our investigation, conducted with independent cybersecurity experts, indicates that between [DATE RANGE], an unauthorized actor may have acquired files containing Personal Information.

2. What Information Was Involved?
   The information involved may have included your:
   • [DATA CATEGORY 1]
   • [DATA CATEGORY 2]
   • [ETC.]
   Importantly, no payment-card data or account passwords were involved. [Delete if not accurate.]

3. What We Are Doing
   • Immediately contained the incident and eradicated malicious code.
   • Engaged a leading cybersecurity firm to investigate.
   • Notified law enforcement and are cooperating with their efforts.
   • Implemented additional technical safeguards to prevent recurrence.
   • Offering you complimentary [12/24] months of credit monitoring and identity-theft protection through [SERVICE PROVIDER]. Please see the enrollment instructions below.

4. What You Can Do
   Even if you do not notice any suspicious activity, we recommend you:
   • Enroll in the complimentary credit monitoring service by [ENROLL DEADLINE].
   • Remain vigilant by reviewing account statements and monitoring free credit reports.
   • Consider placing a fraud alert or security freeze on your credit file.

Contact information for the three nationwide credit reporting agencies is provided below:
• Equifax: 1-800-525-6285 | www.equifax.com
• Experian: 1-888-397-3742 | www.experian.com
• TransUnion: 1-800-680-7289 | www.transunion.com

You may obtain a free copy of your credit report once every 12 months from each of the above agencies by visiting www.annualcreditreport.com or calling 1-877-322-8228.

5. For More Information
   If you have questions, please contact us at [TOLL-FREE NUMBER] Monday through Friday, [HOURS], or email us at [EMAIL ADDRESS]. You may also write to us at:

[COMPANY]
Attn: Data Privacy Response Team
[ADDRESS]

You may contact the Maryland Office of the Attorney General for additional information about identity theft protection:

Office of the Attorney General
Consumer Protection Division
200 St. Paul Place, 16th Floor
Baltimore, MD 21202
1-888-743-0023 | www.marylandattorneygeneral.gov

We regret any inconvenience or concern this incident may cause you and remain committed to safeguarding your information.

Sincerely,

[NAME]
[TITLE]
[COMPANY]

[// GUIDANCE:
1. Timing – Issue the consumer notice “as soon as reasonably practicable” but no later than 45 days after discovery (Md. Code Ann., Com. Law § 14-3504(d)(1)).
2. AG Notice – Must be sent before or contemporaneously with consumer notice and must include the sample consumer letter (§ 14-3504(e)(2)).
3. Content – Do not include the affected individual’s Social Security number, driver’s license number, or any other Personal Information in the body or subject line of the communication (§ 14-3504(g)).
4. Delivery Method – Written notice is presumed compliant. Email is permissible only if the consumer has expressly consented to electronic notice or if the primary method of business communication is electronic (§ 14-3504(c)).
5. Record Retention – Maintain documentation of compliance for at least three years.
6. Optional Credit Monitoring – Maryland does not mandate it, but regulators expect its offer when Social Security numbers are involved.
7. Multi-State Incidents – If Maryland residents are fewer than 1,000 and other states impose higher requirements, harmonize timing and content to meet all applicable laws.]