State Data Breach Notification Letter

MARYLAND SECURITY BREACH NOTIFICATION PACKAGE

(Attorney General Notice & Model Consumer Letter)

TABLE OF CONTENTS

1. Definitions
2. OAG Cover Letter Template
3. Attachment A – Model Consumer Notice

1. DEFINITIONS

For ease of internal drafting, the following capitalized terms are used throughout this template. Replace or delete the Definitions section prior to delivery.

“Breach Date” – The date on which [COMPANY] discovered or reasonably should have discovered the Security Breach.

“Company” – [LEGAL NAME OF BUSINESS ENTITY PROVIDING NOTICE].

“OAG” – The Maryland Office of the Attorney General, Attn: Security Breach Notices, 200 St. Paul Place, Baltimore, MD 21202.

“Personal Information” – The data elements listed in Md. Code Ann., Com. Law § 14-3501(b), when unencrypted or when the encryption key has been compromised.

“Security Breach” – The unauthorized acquisition of Personal Information that compromises the security, confidentiality, or integrity of that information, as described in Md. Code Ann., Com. Law § 14-3504(b).

2. OAG COVER LETTER TEMPLATE

[COMPANY LETTERHEAD]
[PHYSICAL ADDRESS • PHONE • EMAIL]

[DATE]

VIA EMAIL ([email protected]) AND U.S. MAIL
Office of the Attorney General
Attn: Security Breach Notices
200 St. Paul Place
Baltimore, Maryland 21202

Re: Notice of Security Breach Pursuant to Md. Code Ann., Com. Law § 14-3504

Dear Sir or Madam:

In accordance with Md. Code Ann., Com. Law § 14-3504(e), [COMPANY] hereby provides notice of a Security Breach involving Personal Information of Maryland residents.

1. Company Information
   • Legal Name: [COMPANY]
   • Trade Name(s): [DBA, if any]
   • Type of Entity: [Corporation/LLC/etc.], organized under the laws of [STATE]
   • Point of Contact for AG: [NAME, TITLE, EMAIL, DIRECT PHONE]

2. Nature of the Security Breach
   • Date(s) of Breach: [MM/DD/YYYY – MM/DD/YYYY]
   • Breach Discovery Date (“Breach Date”): [MM/DD/YYYY]
   • Incident Description: [High-level description of how the unauthorized access occurred without revealing exploitable details.]
   • Categories of Personal Information Affected: [Example: Social Security numbers; driver’s license numbers; financial account numbers in combination with security codes; medical information; etc.]

3. Number of Maryland Residents Affected
   [#####] Maryland residents are reasonably believed to have been affected.
   

4. Timing of Consumer Notice
   Consistent with the 45-day deadline in Md. Code Ann., Com. Law § 14-3504(d)(1), individual notices will be disseminated (or were disseminated) on [MM/DD/YYYY], contemporaneously with this submission.

5. Steps Taken or Planned
   • Containment and eradication measures: [BRIEF DESCRIPTION]
   • Password resets, system hardening, and third-party forensic investigation.
   • Complimentary [##]-month credit monitoring and identity theft protection for affected individuals.
   • Enhanced employee security awareness training.

6. Sample Consumer Notice
   A copy of the exact notice being sent to affected Maryland residents is attached hereto as Attachment A.

7. Law-Enforcement Involvement
   [If applicable] We notified [LAW-ENFORCEMENT AGENCY] on [MM/DD/YYYY]. The agency has advised that disclosure to affected individuals will not impede its investigation.

Please direct any questions to the undersigned.

Sincerely,

________________________________
[NAME]
[TITLE]
[COMPANY]
[PHONE] • [EMAIL]

Encl.: Attachment A – Consumer Notice

3. ATTACHMENT A – MODEL CONSUMER NOTICE

[COMPANY LETTERHEAD]

[DATE]

Subject: Important Notice of Data Breach

Dear [FIRST NAME LAST NAME],

[COMPANY] values the privacy of your personal information. We are writing to notify you of a security incident that may have involved your Personal Information. This notice is being provided in compliance with the Maryland Personal Information Protection Act, Md. Code Ann., Com. Law § 14-3504.

1. What Happened?
   On [Breach Date], we discovered unauthorized access to certain [COMPANY] systems. Our investigation, conducted with independent cybersecurity experts, indicates that between [DATE RANGE], an unauthorized actor may have acquired files containing Personal Information.

2. What Information Was Involved?
   The information involved may have included your:
   • [DATA CATEGORY 1]
   • [DATA CATEGORY 2]
   • [ETC.]
   Importantly, no payment-card data or account passwords were involved. [Delete if not accurate.]

3. What We Are Doing
   • Immediately contained the incident and eradicated malicious code.
   • Engaged a leading cybersecurity firm to investigate.
   • Notified law enforcement and are cooperating with their efforts.
   • Implemented additional technical safeguards to prevent recurrence.
   • Offering you complimentary [12/24] months of credit monitoring and identity-theft protection through [SERVICE PROVIDER]. Please see the enrollment instructions below.

4. What You Can Do
   Even if you do not notice any suspicious activity, we recommend you:
   • Enroll in the complimentary credit monitoring service by [ENROLL DEADLINE].
   • Remain vigilant by reviewing account statements and monitoring free credit reports.
   • Consider placing a fraud alert or security freeze on your credit file.

Contact information for the three nationwide credit reporting agencies is provided below:
• Equifax: 1-800-525-6285 | www.equifax.com
• Experian: 1-888-397-3742 | www.experian.com
• TransUnion: 1-800-680-7289 | www.transunion.com

You may obtain a free copy of your credit report once every 12 months from each of the above agencies by visiting www.annualcreditreport.com or calling 1-877-322-8228.

5. For More Information
   If you have questions, please contact us at [TOLL-FREE NUMBER] Monday through Friday, [HOURS], or email us at [EMAIL ADDRESS]. You may also write to us at:

[COMPANY]
Attn: Data Privacy Response Team
[ADDRESS]

You may contact the Maryland Office of the Attorney General for additional information about identity theft protection:

Office of the Attorney General
Consumer Protection Division
200 St. Paul Place, 16th Floor
Baltimore, MD 21202
1-888-743-0023 | www.marylandattorneygeneral.gov

We regret any inconvenience or concern this incident may cause you and remain committed to safeguarding your information.

Sincerely,

________________________________
[NAME]
[TITLE]
[COMPANY]