Nevada Data Breach Notification Packet

(Attorney General & Consumer Versions)

[// GUIDANCE: This packet contains (1) a notice template for the Nevada Attorney General and (2) a consumer‐facing notice template. Both are drafted to comply with Nevada’s data-breach statute, including the 45-day timing requirement and mandatory content elements. Bracketed text should be customized for each incident. Remove all guidance comments before issuing final letters.]

TABLE OF CONTENTS

1. Attorney General Notice
   1.1 Document Header
   1.2 Incident Overview
   1.3 Scope of Impact
   1.4 Remediation & Mitigation
   1.5 Consumer Notification Plan
   1.6 Regulator Contact Information
   1.7 Attachments / Exhibits

2. Consumer Notification Letter
   2.1 Document Header
   2.2 What Happened
   2.3 What Information Was Involved
   2.4 What We Are Doing
   2.5 What You Can Do
   2.6 Resources & Contact Information
   2.7 Complimentary Identity Protection (Optional)
   2.8 Enclosures

1. ATTORNEY GENERAL NOTICE – TEMPLATE

1.1 Document Header

[COMPANY LETTERHEAD]

Date: [DATE]

Via Email & Certified Mail – Return Receipt Requested
The Honorable [NAME]
Office of the Nevada Attorney General
100 North Carson Street
Carson City, Nevada 89701

Re: Notice of Data Breach Affecting Nevada Residents

1.2 Incident Overview

Pursuant to Nev. Rev. Stat. § 603A.220, [LEGAL NAME OF DATA COLLECTOR] (“Company”) hereby provides notice of a breach of the security of its system involving personal information of Nevada residents.

• Date of determination of breach: [MM/DD/YYYY]
• Earliest date of unauthorized access: [MM/DD/YYYY]
• Nature of the incident: [BRIEF, FACT-BASED DESCRIPTION—e.g., “credential-stuffing attack on customer portal resulting in unauthorized downloads of customer records”].

[// GUIDANCE: Provide strictly factual statements; avoid speculation. If law enforcement has requested a delay, identify and attach the written request.]

1.3 Scope of Impact

• Total individuals affected nationwide: [NUMBER]
• Nevada residents affected: [NUMBER]

Categories of personal information exposed or reasonably believed to be exposed:

1. [e.g., “Name”]
2. [e.g., “Social Security number (last four digits only)”]
3. [e.g., “Financial account number, with no access codes”]

1.4 Remediation & Mitigation

Immediately upon discovery, Company:

a. Contained and eradicated malicious code within [X] hours;
b. Engaged a PCI-certified forensic firm on [DATE];
c. Reset all employee credentials and implemented multifactor authentication;
d. Offered all impacted Nevada residents [12/24] months of complimentary identity-theft protection and credit monitoring; and
e. Provided notice to major consumer reporting agencies in accordance with federal law.

1.5 Consumer Notification Plan

Company commenced consumer notifications on [DATE] (within 45 days of breach determination) via first-class U.S. mail to each known Nevada resident whose data was involved. A copy of the consumer notice is attached hereto as Exhibit A.

[// GUIDANCE: If substitute notice (e-mail, website, statewide media) was used under NRS § 603A.220(4), describe method and justification.]

1.6 Regulator Contact Information

Please direct any follow-up questions to:

[PRIMARY CONTACT NAME]
[Title] | [Company]
[Street Address] | [City, ST ZIP]
Tel: [(XXX) XXX-XXXX] | Email: [[email protected]]

1.7 Attachments / Exhibits

• Exhibit A – Consumer Notice (template)
• Exhibit B – Law-enforcement delay request (if applicable)
• Exhibit C – Forensic investigation executive summary (optional/redacted)

2. CONSUMER NOTIFICATION LETTER – TEMPLATE

[COMPANY LETTERHEAD]

[First Name Last Name]
[Street Address]
[City, ST ZIP]

Date: [MM/DD/YYYY]
Dear [Mr./Ms.] [Last Name]:

2.1 What Happened

On [DATE], we discovered that an unauthorized party accessed certain [Company] systems between [DATE RANGE]. We confirmed on [DATE] that some of your personal information may have been involved.

2.2 What Information Was Involved

The information may have included one or more of the following:

• [Full name]
• [Social Security number]
• [Driver’s license or state identification number]
• [Financial account number]
• [Medical/health insurance information]

We have no evidence that your information has been misused; however, we are notifying you out of an abundance of caution.

2.3 What We Are Doing

We take this event seriously and have:

1. Contained and remediated the incident with the assistance of third-party cybersecurity experts;
2. Reported the matter to law enforcement and will fully cooperate with their investigation;
3. Enhanced our security controls, including [describe specific measures]; and
4. Arranged for you to receive [12/24] months of complimentary credit monitoring and identity-theft protection services through [SERVICE PROVIDER]. Instructions to enroll are enclosed.

2.4 What You Can Do

We encourage you to:

• Enroll in the complimentary services by [ENROLLMENT DEADLINE].
• Review the enclosed “Steps You Can Take to Protect Your Information,” which includes contact information for the three nationwide consumer reporting agencies, the Federal Trade Commission, and the Nevada Attorney General.
• Consider placing a fraud alert or security freeze on your credit files. A security freeze is free under Nevada law.

2.5 Resources & Contact Information

If you have questions, please call our dedicated, toll-free call center at [(XXX) XXX-XXXX] between [HOURS, TIME ZONE], Monday through Friday, excluding holidays, or e-mail us at [[email protected]].

2.6 Complimentary Identity Protection (Optional)

[// GUIDANCE: Insert full instructions, redemption code, and program summary provided by the identity-protection vendor. Ensure service term and coverage details are accurate.]

2.7 Enclosures

1. “Steps You Can Take to Protect Your Information” (including contact details for consumer reporting agencies and the FTC)
2. Complimentary Credit Monitoring Enrollment Instructions

Sincerely,

[AUTHORIZED SIGNATORY NAME]
[Title] | [Company]

ENCLOSURE – STEPS YOU CAN TAKE TO PROTECT YOUR INFORMATION

1. Review Your Account Statements and Credit Reports
2. Place a Fraud Alert
3. Consider a Security Freeze
4. Remain Vigilant for Incidents of Fraud or Identity Theft
5. Contact Information for Major Consumer Reporting Agencies
   • Equifax – 888-766-0008 | www.equifax.com
   • Experian – 888-397-3742 | www.experian.com
   • TransUnion – 800-680-7289 | www.transunion.com
6. Federal Trade Commission
   • 877-ID-THEFT (877-438-4338) | www.identitytheft.gov
7. Nevada Attorney General
   • 775-684-1100 | ag.nv.gov

[// GUIDANCE: Verify all phone numbers and URLs immediately before mailing.]

KEY STATUTORY COMPLIANCE CHECKLIST (Internal Use Only – Remove Before Sending)

☐ Notice dispatched within 45 days of breach determination (NRS 603A.220)
☐ Written notice delivered by first-class mail (or permitted substitute method)
☐ Content includes: incident description, affected data categories, remediation efforts, consumer protective steps, Company contact information, and credit-agency/FTC contacts
☐ AG notified concurrently when ≥ 250 Nevada residents affected (recommended best practice)
☐ Consumer notice language at 8th-grade reading level (FTC guidance)
☐ Law-enforcement delay documented, if applicable

[// GUIDANCE: Maintain this checklist in the incident response file to demonstrate statutory compliance.]

END OF TEMPLATE