State Data Breach Notification Letter

Michigan Data Breach Notification Package

(Comprehensive Template – Ready for Attorney Customization)

TABLE OF CONTENTS

1. Definitions & Global Placeholders
2. Template A – Attorney General Notification Letter
3. Template B – Consumer Notification Letter
4. Template C – CRA Notification Letter (Optional)

1. DEFINITIONS & GLOBAL PLACEHOLDERS

• “Company” = [LEGAL NAME OF DATA OWNER/SENDER]
• “Incident” = [VERY BRIEF NAME, e.g., “April 2025 Network Intrusion”]
• “Discovery Date” = [MM/DD/YYYY on which breach was first confirmed]
• “Incident Window” = [Approx. start–end dates of unauthorized access]
• “Notification Date” = [MM/DD/YYYY when letters will be mailed/emailed]
• “PII Types” = [List of personal information elements involved]
• “Impacted MI Residents” = [Exact # of Michigan residents]
• “Total Individuals” = [Total # of all individuals, all states, if > MI]
• “Law Enforcement Hold?” = [Yes/No – attach written request if Yes]
• “Toll-Free Support Line” = [(XXX) XXX-XXXX / hours]
• “Credit Monitoring Vendor” = [NAME] (if offering)
• “Contact Person” = [NAME, TITLE, EMAIL, DIRECT PHONE]

2. TEMPLATE A – ATTORNEY GENERAL NOTIFICATION LETTER

[LETTERHEAD OF COMPANY]

[Date]

The Honorable [NAME]
Michigan Attorney General
G. Mennen Williams Building, 7th Floor
525 W. Ottawa Street
P.O. Box 30212
Lansing, MI 48909

Re: Data Security Incident Notice — Mich. Comp. Laws Ann. § 445.72

Dear Attorney General [LAST NAME]:

1. Introduction
   Pursuant to the Michigan Identity Theft Protection Act (“ITPA”), Mich. Comp. Laws Ann. § 445.72, Company hereby provides formal notice of a breach of security involving the personal information of Michigan residents.

2. Incident Summary
   a. Incident Name: “[Incident]”
   b. Incident Window: [Incident Window]
   c. Discovery Date: [Discovery Date]
   d. Description (general, non-technical):
   [High-level narrative of how unauthorized acquisition occurred, omitting sensitive system details.]

3. Scope of Impact
   • Michigan residents affected: [Impacted MI Residents]
   • Total individuals nationwide: [Total Individuals]

4. Personal Information Involved
   The Incident involved unauthorized acquisition of one or more of the following data elements (unencrypted or unredacted):
   – [PII Types]

5. Notification & Timing Compliance
   Company will issue consumer notices on or about [Notification Date], which is within the 45-day statutory period, absent any certified law-enforcement delay.
   [If delay: “Pursuant to written request from [Agency], enclosed as Exhibit A, consumer notice has been delayed until the conclusion of the investigative hold.”]

6. Method of Consumer Notice
   – First-class U.S. mail to last known mailing address, or
   – Email notice (where resident has expressly consented), or
   – Substitute notice in accordance with § 445.72(4) (attach form).

7. Remedial Measures
   • Immediate containment and eradication measures completed on [MM/DD/YYYY].
   • Mandatory password resets and multi-factor authentication deployed.
   • Complimentary [X]-month credit monitoring/identity-theft protection through [Credit Monitoring Vendor].
   • Dedicated toll-free hotline: [Toll-Free Support Line].

8. Contact for Follow-Up
   Direct any questions to:
   [Contact Person]

Respectfully submitted,

__________________________________
[NAME]
[TITLE]
[Company]

3. TEMPLATE B – CONSUMER NOTIFICATION LETTER

[LETTERHEAD OF COMPANY]

[Date]

[First Name Last Name]
[Street Address]
[City, State ZIP]

Re: Notice of Data Security Incident

Dear [First Name]:

1. What Happened
   On [Discovery Date], we confirmed that unauthorized actors gained access to certain Company systems between [Incident Window]. We immediately secured our environment, initiated an investigation with leading cybersecurity specialists, and notified law enforcement.

2. What Information Was Involved
   The incident involved your [plain-language list of “PII Types”] (“Personal Information”). We have no evidence of fraud or identity theft arising from this Incident at this time.

3. What We Are Doing
   • Enhanced security: [brief bullet list].
   • Complimentary identity-protection services: We are offering you [X] months of credit monitoring and identity-theft restoration services at no cost through [Credit Monitoring Vendor]. Your activation code and instructions are enclosed in Attachment A.
   • Toll-free assistance: [Toll-Free Support Line] (Monday-Friday, 8 a.m.-8 p.m. ET).

4. What You Can Do
   We encourage you to remain vigilant by reviewing account statements and monitoring free credit reports. Please refer to Attachment B for additional steps—including placing a fraud alert or security freeze—along with contact information for the three nationwide consumer reporting agencies and the Federal Trade Commission.

5. For More Information
   If you have questions, please call [Toll-Free Support Line] or email [Contact Person Email].

We regret any concern this may cause and remain committed to safeguarding your information.

Sincerely,

__________________________________
[NAME]
[TITLE]
[Company]

Attachment A – Enroll in Complimentary Credit Monitoring

[Detailed, vendor-supplied instructions and activation code]

Attachment B – Additional Resources

1. Fraud Alerts & Security Freezes
   • Equifax P.O. Box 105139, Atlanta, GA 30348 | 1-888-766-0008 | www.equifax.com
   • Experian P.O. Box 9554, Allen, TX 75013 | 1-888-397-3742 | www.experian.com
   • TransUnion P.O. Box 2000, Chester, PA 19016 | 1-800-680-7289 | www.transunion.com

2. Federal Trade Commission (“FTC”)
   600 Pennsylvania Avenue NW, Washington, DC 20580
   1-877-438-4338 | www.identitytheft.gov

3. Obtain Free Credit Reports
   Visit www.annualcreditreport.com or call 1-877-322-8228.

4. TEMPLATE C – CONSUMER REPORTING AGENCY (“CRA”) NOTICE

(Use only if ≥1,000 Michigan residents are notified in a 24-hour period, per Mich. Comp. Laws Ann. § 445.72(8).)

[LETTERHEAD OF COMPANY]

[Date]

[VIA CERTIFIED MAIL / EMAIL]

[CRA Name]
[CRA Address]

Re: Notice of Data Breach Affecting [Total Individuals] Consumers

To Whom It May Concern:

Pursuant to Mich. Comp. Laws Ann. § 445.72(8), Company provides notice that on [Notification Date] it is issuing breach notifications to approximately [Total Individuals] individuals, of which [Impacted MI Residents] are Michigan residents. The enclosed spreadsheet lists resident-level data fields required by your intake protocol.

Please contact [Contact Person] with any questions.

Sincerely,

__________________________________
[NAME]
[TITLE]
[Company]

End of Package