State Data Breach Notification Letter

Nevada Data Breach Notification Packet

(Attorney General & Consumer Versions)

TABLE OF CONTENTS

1. Attorney General Notice
   1.1 Document Header
   1.2 Incident Overview
   1.3 Scope of Impact
   1.4 Remediation & Mitigation
   1.5 Consumer Notification Plan
   1.6 Regulator Contact Information
   1.7 Attachments / Exhibits

2. Consumer Notification Letter
   2.1 Document Header
   2.2 What Happened
   2.3 What Information Was Involved
   2.4 What We Are Doing
   2.5 What You Can Do
   2.6 Resources & Contact Information
   2.7 Complimentary Identity Protection (Optional)
   2.8 Enclosures

1. ATTORNEY GENERAL NOTICE – TEMPLATE

1.1 Document Header

[COMPANY LETTERHEAD]

Date: [DATE]  

Via Email & Certified Mail – Return Receipt Requested  
The Honorable [NAME]  
Office of the Nevada Attorney General  
100 North Carson Street  
Carson City, Nevada 89701  

Re: Notice of Data Breach Affecting Nevada Residents

1.2 Incident Overview

Pursuant to Nev. Rev. Stat. § 603A.220, [LEGAL NAME OF DATA COLLECTOR] (“Company”) hereby provides notice of a breach of the security of its system involving personal information of Nevada residents.

• Date of determination of breach: [MM/DD/YYYY]
• Earliest date of unauthorized access: [MM/DD/YYYY]
• Nature of the incident: [BRIEF, FACT-BASED DESCRIPTION—e.g., “credential-stuffing attack on customer portal resulting in unauthorized downloads of customer records”].

1.3 Scope of Impact

• Total individuals affected nationwide: [NUMBER]
• Nevada residents affected: [NUMBER]

Categories of personal information exposed or reasonably believed to be exposed:

1. [e.g., “Name”]
2. [e.g., “Social Security number (last four digits only)”]
3. [e.g., “Financial account number, with no access codes”]

1.4 Remediation & Mitigation

Immediately upon discovery, Company:

a. Contained and eradicated malicious code within [X] hours;
b. Engaged a PCI-certified forensic firm on [DATE];
c. Reset all employee credentials and implemented multifactor authentication;
d. Offered all impacted Nevada residents [12/24] months of complimentary identity-theft protection and credit monitoring; and
e. Provided notice to major consumer reporting agencies in accordance with federal law.

1.5 Consumer Notification Plan

Company commenced consumer notifications on [DATE] (within 45 days of breach determination) via first-class U.S. mail to each known Nevada resident whose data was involved. A copy of the consumer notice is attached hereto as Exhibit A.

1.6 Regulator Contact Information

Please direct any follow-up questions to:

[PRIMARY CONTACT NAME]
[Title] | [Company]
[Street Address] | [City, ST ZIP]
Tel: [(XXX) XXX-XXXX] | Email: [[email protected]]

1.7 Attachments / Exhibits

• Exhibit A – Consumer Notice (template)
• Exhibit B – Law-enforcement delay request (if applicable)
• Exhibit C – Forensic investigation executive summary (optional/redacted)

2. CONSUMER NOTIFICATION LETTER – TEMPLATE

[COMPANY LETTERHEAD]

[First Name Last Name]  
[Street Address]  
[City, ST ZIP]  

Date: [MM/DD/YYYY]

Dear [Mr./Ms.] [Last Name]:

2.1 What Happened

On [DATE], we discovered that an unauthorized party accessed certain [Company] systems between [DATE RANGE]. We confirmed on [DATE] that some of your personal information may have been involved.

2.2 What Information Was Involved

The information may have included one or more of the following:

• [Full name]
• [Social Security number]
• [Driver’s license or state identification number]
• [Financial account number]
• [Medical/health insurance information]

We have no evidence that your information has been misused; however, we are notifying you out of an abundance of caution.

2.3 What We Are Doing

We take this event seriously and have:

1. Contained and remediated the incident with the assistance of third-party cybersecurity experts;
2. Reported the matter to law enforcement and will fully cooperate with their investigation;
3. Enhanced our security controls, including [describe specific measures]; and
4. Arranged for you to receive [12/24] months of complimentary credit monitoring and identity-theft protection services through [SERVICE PROVIDER]. Instructions to enroll are enclosed.

2.4 What You Can Do

We encourage you to:

• Enroll in the complimentary services by [ENROLLMENT DEADLINE].
• Review the enclosed “Steps You Can Take to Protect Your Information,” which includes contact information for the three nationwide consumer reporting agencies, the Federal Trade Commission, and the Nevada Attorney General.
• Consider placing a fraud alert or security freeze on your credit files. A security freeze is free under Nevada law.

2.5 Resources & Contact Information

If you have questions, please call our dedicated, toll-free call center at [(XXX) XXX-XXXX] between [HOURS, TIME ZONE], Monday through Friday, excluding holidays, or e-mail us at [[email protected]].

2.6 Complimentary Identity Protection (Optional)

2.7 Enclosures

1. “Steps You Can Take to Protect Your Information” (including contact details for consumer reporting agencies and the FTC)
2. Complimentary Credit Monitoring Enrollment Instructions

Sincerely,

[AUTHORIZED SIGNATORY NAME]
[Title] | [Company]

ENCLOSURE – STEPS YOU CAN TAKE TO PROTECT YOUR INFORMATION

1. Review Your Account Statements and Credit Reports
2. Place a Fraud Alert
3. Consider a Security Freeze
4. Remain Vigilant for Incidents of Fraud or Identity Theft

5. Contact Information for Major Consumer Reporting Agencies
   • Equifax – 888-766-0008 | www.equifax.com
   • Experian – 888-397-3742 | www.experian.com
   • TransUnion – 800-680-7289 | www.transunion.com

6. Federal Trade Commission
   • 877-ID-THEFT (877-438-4338) | www.identitytheft.gov

7. Nevada Attorney General
   • 775-684-1100 | ag.nv.gov

KEY STATUTORY COMPLIANCE CHECKLIST (Internal Use Only – Remove Before Sending)

☐ Notice dispatched within 45 days of breach determination (NRS 603A.220)
☐ Written notice delivered by first-class mail (or permitted substitute method)
☐ Content includes: incident description, affected data categories, remediation efforts, consumer protective steps, Company contact information, and credit-agency/FTC contacts
☐ AG notified concurrently when ≥ 250 Nevada residents affected (recommended best practice)
☐ Consumer notice language at 8th-grade reading level (FTC guidance)
☐ Law-enforcement delay documented, if applicable

END OF TEMPLATE