NEW HAMPSHIRE DATA BREACH NOTIFICATION PACKET

(RSA 359-C:19-21 Compliance Template)

[// GUIDANCE: This packet contains (A) a mandatory cover letter to the New Hampshire Attorney General (“NH-AG”) and (B) the consumer notice required to be delivered to each affected New Hampshire resident. Complete all bracketed placeholders, attach exhibits where indicated, and transmit in the manner described below. Retain proof of delivery for at least seven (7) years.]

TABLE OF CONTENTS

1. Practitioner Guidance
2. Section A – NH-AG Cover Letter
3. Section B – Consumer Notification Letter
4. Exhibit 1 – Incident Timeline (optional)
5. Exhibit 2 – List of Personal Information Elements Compromised

1. PRACTITIONER GUIDANCE

[// GUIDANCE:
• Statutory Timing – Notice must be provided “as soon as possible, but not later than 45 days” after confirmation of a breach affecting Personal Information (“PI”) of a New Hampshire resident. N.H. Rev. Stat. Ann. § 359-C:20, I(a).
• Concurrent AG & Consumer Notice – NH requires simultaneous delivery to (i) impacted residents and (ii) the NH-AG. Include the exact consumer notice as an attachment to the AG cover letter.
• Content Requirements – Both notices must, at minimum, (1) describe the incident, (2) specify the categories of PI involved, (3) state the date(s) of breach and discovery, (4) outline steps already taken by the business, (5) outline recommended consumer actions, and (6) provide dedicated contact information.
• Format – NH has no statutory formatting mandates; however, the AG prefers single-spaced letters, 12-point font, and a conspicuous subject line (“NOTICE OF DATA BREACH”).
• Law-Enforcement Delay – If law-enforcement requests delayed consumer notice, retain a written request and disclose the delay period to the AG.
• Credit Monitoring – Not required but strongly advised where Social Security numbers, driver’s license numbers, or financial account credentials were exposed. Provide at least 12 months of complimentary credit monitoring or identity-theft protection.
• Multiple States – If the incident involves residents of other states, coordinate multi-state compliance. This template addresses New Hampshire only.
]

2. SECTION A – NEW HAMPSHIRE ATTORNEY GENERAL COVER LETTER

[COMPANY LETTERHEAD]

Date: [MM/DD/YYYY]

Via [E-Mail/Courier]
Office of the Attorney General
New Hampshire Department of Justice
33 Capitol Street
Concord, NH 03301

Re: Notice of Security Breach Pursuant to N.H. Rev. Stat. Ann. § 359-C:20

2.1 Company Identification

1. Legal Name: [Full Legal Entity Name]
2. State of Incorporation/Formation: [State]
3. Principal Business Address: [Street, City, State ZIP]
4. Primary NH Contact for this Incident: [Name, Title, Phone, E-mail]

2.2 Incident Summary

1. Date(s) Breach Occurred: [MM/DD/YYYY – MM/DD/YYYY]
2. Date Breach Discovered/Confirmed: [MM/DD/YYYY]
3. Nature of Incident: [External hacking/phishing, insider theft, system misconfiguration, etc.]
4. Systems Involved: [Describe—e.g., third-party cloud storage, on-premise server]
5. Number of NH Residents Affected: [###] (total population to receive consumer notice)
6. Types of Personal Information Involved: [Social Security numbers, driver’s license numbers, financial account numbers, medical information, etc.; see Exhibit 2]

2.3 Actions Taken by Company

• Contained the incident on [MM/DD/YYYY].
• Engaged independent cybersecurity firm [Name] to conduct forensic investigation (ongoing/completed MM/DD/YYYY).
• Notified federal/state law-enforcement agencies on [MM/DD/YYYY] (case/file number [###]).
• Implemented password resets, multi-factor authentication, and enhanced monitoring.
• Offering 12-month complimentary identity-protection services to affected individuals.

2.4 Consumer Notification

Consumer notices will be dispatched via [method—First-Class Mail/e-mail] on or before [MM/DD/YYYY] in compliance with the 45-day statutory limit. A sample notice is attached hereto as Attachment A.

2.5 Additional Information & Point of Contact

If your office requires additional details, please contact [Name, Title] at [Direct Phone] or [Email].

Respectfully submitted,

---

[Authorized Signatory Name]
[Title]
[Company Name]

Attachment A: Sample Consumer Notification Letter
Exhibit 1 (optional): Incident Timeline
Exhibit 2: Categories of Personal Information Compromised

3. SECTION B – CONSUMER NOTIFICATION LETTER

[COMPANY LETTERHEAD]

Date: [MM/DD/YYYY]

[Recipient Name]
[Recipient Address]

RE: Important Notice of Data Breach

Dear [Recipient Name]:

3.1 What Happened

On [MM/DD/YYYY], we discovered unauthorized access to certain [Company Name] computer systems. Our investigation, completed on [MM/DD/YYYY], determined that between [Incident Date Range], an unauthorized actor may have viewed or acquired files containing your personal information.

3.2 What Information Was Involved

The information involved may have included your:
• [Social Security number]
• [Driver’s license or state ID number]
• [Financial account information]
• [Date of birth]
• [Medical/health-insurance information]
• [Other: ___]

[// GUIDANCE: Delete any data element that was not compromised; add others as necessary.]

3.3 What We Are Doing

• Immediately secured the affected systems and engaged a leading cybersecurity firm to assist with our investigation.
• Notified law-enforcement and are cooperating with their investigation.
• Implemented additional technical safeguards, including multi-factor authentication and enhanced intrusion detection.
• Offering you 12 months of complimentary credit monitoring and identity-theft protection through [Provider Name]. Please see the enclosed “Activation Instructions” sheet for enrollment details.

3.4 What You Can Do

We encourage you to:
1. Enroll in the complimentary credit-monitoring service no later than [Deadline MM/DD/YYYY].
2. Review your account statements and credit reports for unauthorized activity.
3. Consider placing a fraud alert or security freeze on your credit files.
4. Remain vigilant and promptly report any suspicious activity to the relevant institution.

Contact information for the nationwide consumer reporting agencies is provided below:

• Equifax – 1-800-525-6285 – www.equifax.com
• Experian – 1-888-397-3742 – www.experian.com
• TransUnion – 1-800-680-7289 – www.transunion.com

You will find additional resources, including the Federal Trade Commission’s “Identity Theft” website and New Hampshire-specific consumer-protection information, at the end of this letter.

3.5 For More Information

If you have questions, please contact our dedicated incident-response line at [Toll-Free Number], Monday through Friday, 9 a.m. – 9 p.m. Eastern Time, or e-mail us at [Incident-Response Email].

We regret any inconvenience or concern this incident may cause and remain committed to safeguarding your information.

Sincerely,

---

[Authorized Signatory Name]
[Title]
[Company Name]
[Address] | [Phone] | [E-mail]

4. EXHIBIT 1 – INCIDENT TIMELINE (Optional Internal Use)

5. EXHIBIT 2 – CATEGORIES OF PERSONAL INFORMATION COMPROMISED

[// GUIDANCE: Update the chart to reflect actual facts. If encryption rendered the data unreadable/unusable, NH law may consider that information “not breached.”]

DELIVERY CHECKLIST

☐ Dispatch NH-AG cover letter (with consumer notice attached) via e-mail to [email protected] and certified mail.
☐ Mail or e-mail consumer notices no later than 45 days from confirmation date.
☐ If >1,000 total individuals (any state) are notified, deliver consumer-reporting-agency notice under 15 U.S.C. § 1681a(d)(2).
☐ Retain all forensic reports, mailing proofs, and correspondence for regulatory inquiries.

© 20[YY] [Your Firm or Company]. This template is provided for general informational purposes and does not constitute legal advice. Tailor to the facts of each incident and verify compliance with all applicable laws before use.