NEW YORK SECURITY BREACH NOTIFICATION LETTER
(Comprehensive Template – Ready for Attorney General / State Agencies & Affected Consumers)
[// GUIDANCE: This master template contains two coordinated notification letters:
(A) “Regulator Notification Letter” – for the NYS Attorney General, NYS Department of State’s Division of Consumer Protection, and the NYS Office of Information Technology Services (for transmittal to the NYS Police).
(B) “Consumer Notification Letter” – for direct mailing (or e-mailing, if the E-SIGN requirements are satisfied) to each affected New York resident.
Both letters are drafted to comply with N.Y. Gen. Bus. Law § 899-aa (as amended by the SHIELD Act).
Insert or delete bracketed text as appropriate, complete all placeholders, and remove all guidance comments prior to issuance.]
TABLE OF CONTENTS
- Definitions
- Regulator Notification Letter (AG / State Agencies)
- Consumer Notification Letter (NY Residents)
1. DEFINITIONS
| Term | Definition |
|---|---|
| “Company” | [COMPANY NAME], a [STATE] [corporation/LLC/etc.] with its principal place of business at [ADDRESS]. |
| “Incident” | The data security event discovered on [DISCOVERY DATE] as further described below. |
| “Personal Information” | “Personal information” as defined in N.Y. Gen. Bus. Law § 899-aa(1)(a)–(b), including [LIST OF DATA ELEMENTS, e.g., Social Security number, driver’s license number, financial account information, biometric data, etc.] that were accessed or acquired without authorization. |
| “Residents” | Those New York residents whose Personal Information was, or is reasonably believed to have been, accessed or acquired in the Incident. |
[// GUIDANCE: The above table is optional but helps ensure that defined terms are used consistently across the two letters.]
2. REGULATOR NOTIFICATION LETTER
(N.Y. Gen. Bus. Law § 899-aa(8)(a))
Date: [DATE OF NOTICE]
VIA E-MAIL & CERTIFIED MAIL, RETURN RECEIPT REQUESTED
-
Office of the New York State Attorney General
Bureau of Internet & Technology
28 Liberty Street
New York, NY 10005
E-mail: [email protected] -
New York State Department of State
Division of Consumer Protection
99 Washington Avenue, Suite 650
Albany, NY 12231 -
New York State Office of Information Technology Services
Chief Information Security Office (for NYS Police)
Empire State Plaza, P.O. Box 2062
Albany, NY 12220
Re: Notice of Data Security Breach – [COMPANY NAME]
Dear Sir or Madam:
-
Incident Summary
On [DISCOVERY DATE], Company detected unauthorized [access to/acquisition of] certain Company information systems. An internal investigation, assisted by third-party cyber-forensic experts, determined that between [BREACH START DATE] and [BREACH END DATE] an unauthorized actor [briefly describe activity, e.g., obtained copies of or exfiltrated data from] a server containing Personal Information of current and former customers. -
Number of Affected New York Residents
Company reasonably believes that the Incident involves Personal Information relating to approximately [NUMBER] NY residents (“Residents”). The total number of Residents notified may change as the investigation continues; Company will supplement this notice as required. -
Categories of Personal Information Involved
• [SSN]
• [Driver’s license or state ID number]
• [Financial account number + access code]
• [Biometric data]
(Each, as defined in N.Y. Gen. Bus. Law § 899-aa(1)(b).) -
Timeline & Notification Compliance
Company discovered the Incident on [DISCOVERY DATE] and completed a reasonable and prompt investigation on [INVESTIGATION END DATE]. Notice is being provided “in the most expedient time possible and without unreasonable delay,” consistent with § 899-aa(2), and not later than any law-enforcement deferral.
• Law-enforcement delay requested? [YES/NO] (If “Yes,” attach written statement from law-enforcement per § 899-aa(4).) -
Method of Resident Notification
Company commenced written notice to Residents via [first-class mail/e-mail pursuant to E-SIGN] on [MAIL DATE]. A sample Consumer Notification Letter is enclosed pursuant to § 899-aa(8)(c). -
Steps Taken & Future Safeguards
• Engaged external cybersecurity firm [NAME] to contain and remediate the Incident;
• Rotated credentials, implemented multi-factor authentication, and enhanced endpoint monitoring;
• Offering [12/24] months of complimentary credit monitoring and identity-theft protection;
• Reviewing and augmenting our written information security program to satisfy the “reasonable safeguards” obligations of § 899-a. -
Contact Information
Please direct any questions to [CONTACT NAME, TITLE] at [E-MAIL] or [PHONE].
Sincerely,
[NAME]
[TITLE]
[COMPANY NAME]
[// GUIDANCE: Attachments – include (1) Sample Consumer Notice; (2) Law-Enforcement Deferral (if any); (3) Any additional jurisdictional notices if residents of other states are affected.]
3. CONSUMER NOTIFICATION LETTER
(N.Y. Gen. Bus. Law § 899-aa(2) & (3))
Date: [MAIL DATE]
[CONSUMER NAME]
[ADDRESS]
Re: NOTICE OF DATA BREACH
Dear [Mr./Ms.] [LAST NAME],
-
What Happened?
On [DISCOVERY DATE], we discovered unauthorized [access to/acquisition of] certain Company computer systems. Our investigation indicates that between [BREACH START DATE] and [BREACH END DATE], an unauthorized individual [briefly describe activity]. -
What Information Was Involved?
The information involved may have included your:
• [Social Security number]
• [Driver’s license or state identification number]
• [Financial account number and access credentials]
• [Any additional data elements]
Please note that not every data element was involved for every individual. -
What We Are Doing.
• We immediately secured our systems and engaged leading cybersecurity experts.
• We have notified law enforcement and the New York State Attorney General.
• We are offering you [12/24] months of complimentary credit monitoring and identity-theft protection services through [SERVICE PROVIDER].
– To enroll, visit [URL] and use activation code [CODE] no later than [ENROLL DEADLINE]. -
What You Can Do.
• Review the “Steps You Can Take to Protect Your Information” section enclosed with this letter.
• Remain vigilant by monitoring your account statements and credit reports.
• Place a fraud alert or security freeze as described below. -
Other Important Information.
Under federal law you are entitled to one free credit report annually from each of the three nationwide credit reporting agencies. Contact information is provided below.
| Consumer Reporting Agency | Toll-Free | Online | |
|---|---|---|---|
| Equifax | 1-800-525-6285 | www.equifax.com | P.O. Box 105788, Atlanta, GA 30348-5788 |
| Experian | 1-888-397-3742 | www.experian.com | P.O. Box 9554, Allen, TX 75013 |
| TransUnion | 1-800-680-7289 | www.transunion.com | P.O. Box 2000, Chester, PA 19016 |
You may also obtain information from the Federal Trade Commission (“FTC”) about steps to avoid identity theft. The FTC can be reached at 1-877-ID-THEFT (1-877-438-4338) or www.identitytheft.gov.
- For More Information.
If you have questions, please call [TOLL-FREE NUMBER] Monday through Friday, [HOURS], or e-mail us at [[email protected]].
We regret any inconvenience this may cause and remain committed to safeguarding your information.
Sincerely,
[NAME]
[TITLE]
[COMPANY NAME]
[ADDRESS]
[PHONE]
ENCLOSURE – STEPS YOU CAN TAKE TO PROTECT YOUR INFORMATION
[// GUIDANCE: The following language tracks FTC best practices and the minimum content mandated by § 899-aa(3). Edit to fit the monitoring service actually offered.]
-
Place a Fraud Alert or Credit Freeze
You may place a fraud alert by contacting any one of the credit reporting agencies. A fraud alert is free and will stay on your credit file for at least one year. You may also request a credit freeze, which prevents new credit in your name. To place a freeze, contact each credit bureau. -
Obtain Your Free Credit Report
Visit www.annualcreditreport.com or call 1-877-322-8228 to order your free annual credit reports. -
Review Your Accounts
Carefully review statements and immediately report any suspicious activity to your financial institution. -
Report Identity Theft
If you suspect identity theft, file a police report and contact the FTC at www.identitytheft.gov.
[// GUIDANCE:
1. Timing – NY law requires notice “in the most expedient time possible and without unreasonable delay.”
2. Content – Ensure inclusion of: incident description, data elements, contact methods, toll-free numbers for CRAs and FTC, statement advising vigilance, and if SSNs were involved, the offer of identity protection services.
3. AG Notice – Must enclose exact consumer notification text.
4. Multi-State Breaches – If residents of other states are affected, confirm and incorporate their unique statutory content before issuance.]
COMPLIANCE CHECKLIST (NY – N.Y. Gen. Bus. Law § 899-aa)
✓ Notice timing “without unreasonable delay” and after law-enforcement clearance.
✓ Notification to AG + DOS + NYS Police when ≥ 500 NY residents affected.
✓ Consumer letter contains: (a) Company contact info; (b) categories of data; (c) date(s) of breach; (d) toll-free numbers & CRA addresses; (e) advice to remain vigilant; (f) if SSN involved, identity-theft service offer.
✓ Method of notice satisfies § 899-aa(3) (mail, e-mail per E-SIGN, phone, or substitute).
✓ Record retention of breach documentation for at least five years.
[// GUIDANCE: Final pre-issuance steps –
• Insert company letterhead & page numbers.
• Spell-check all names.
• Confirm that for any law-enforcement deferral, written request is attached.
• File copy electronically for statutory five-year retention.]