State Data Breach Notification Letter

NEW YORK SECURITY BREACH NOTIFICATION LETTER

(Comprehensive Template – Ready for Attorney General / State Agencies & Affected Consumers)

TABLE OF CONTENTS

1. Definitions
2. Regulator Notification Letter (AG / State Agencies)
3. Consumer Notification Letter (NY Residents)

1. DEFINITIONS

2. REGULATOR NOTIFICATION LETTER

(N.Y. Gen. Bus. Law § 899-aa(8)(a))

Date: [DATE OF NOTICE]

VIA E-MAIL & CERTIFIED MAIL, RETURN RECEIPT REQUESTED

1. Office of the New York State Attorney General
   Bureau of Internet & Technology
   28 Liberty Street
   New York, NY 10005
   E-mail: [email protected]

2. New York State Department of State
   Division of Consumer Protection
   99 Washington Avenue, Suite 650
   Albany, NY 12231

3. New York State Office of Information Technology Services
   Chief Information Security Office (for NYS Police)
   Empire State Plaza, P.O. Box 2062
   Albany, NY 12220

Re: Notice of Data Security Breach – [COMPANY NAME]

Dear Sir or Madam:

1. Incident Summary
   On [DISCOVERY DATE], Company detected unauthorized [access to/acquisition of] certain Company information systems. An internal investigation, assisted by third-party cyber-forensic experts, determined that between [BREACH START DATE] and [BREACH END DATE] an unauthorized actor [briefly describe activity, e.g., obtained copies of or exfiltrated data from] a server containing Personal Information of current and former customers.

2. Number of Affected New York Residents
   Company reasonably believes that the Incident involves Personal Information relating to approximately [NUMBER] NY residents (“Residents”). The total number of Residents notified may change as the investigation continues; Company will supplement this notice as required.

3. Categories of Personal Information Involved
   • [SSN]
   • [Driver’s license or state ID number]
   • [Financial account number + access code]
   • [Biometric data]
   (Each, as defined in N.Y. Gen. Bus. Law § 899-aa(1)(b).)

4. Timeline & Notification Compliance
   Company discovered the Incident on [DISCOVERY DATE] and completed a reasonable and prompt investigation on [INVESTIGATION END DATE]. Notice is being provided “in the most expedient time possible and without unreasonable delay,” consistent with § 899-aa(2), and not later than any law-enforcement deferral.
   • Law-enforcement delay requested? [YES/NO] (If “Yes,” attach written statement from law-enforcement per § 899-aa(4).)

5. Method of Resident Notification
   Company commenced written notice to Residents via [first-class mail/e-mail pursuant to E-SIGN] on [MAIL DATE]. A sample Consumer Notification Letter is enclosed pursuant to § 899-aa(8)(c).

6. Steps Taken & Future Safeguards
   • Engaged external cybersecurity firm [NAME] to contain and remediate the Incident;
   • Rotated credentials, implemented multi-factor authentication, and enhanced endpoint monitoring;
   • Offering [12/24] months of complimentary credit monitoring and identity-theft protection;
   • Reviewing and augmenting our written information security program to satisfy the “reasonable safeguards” obligations of § 899-a.

7. Contact Information
   Please direct any questions to [CONTACT NAME, TITLE] at [E-MAIL] or [PHONE].

Sincerely,

[NAME]
[TITLE]
[COMPANY NAME]

3. CONSUMER NOTIFICATION LETTER

(N.Y. Gen. Bus. Law § 899-aa(2) & (3))

Date: [MAIL DATE]

[CONSUMER NAME]
[ADDRESS]

Re: NOTICE OF DATA BREACH

Dear [Mr./Ms.] [LAST NAME],

1. What Happened?
   On [DISCOVERY DATE], we discovered unauthorized [access to/acquisition of] certain Company computer systems. Our investigation indicates that between [BREACH START DATE] and [BREACH END DATE], an unauthorized individual [briefly describe activity].

2. What Information Was Involved?
   The information involved may have included your:
   • [Social Security number]
   • [Driver’s license or state identification number]
   • [Financial account number and access credentials]
   • [Any additional data elements]
   Please note that not every data element was involved for every individual.

3. What We Are Doing.
   • We immediately secured our systems and engaged leading cybersecurity experts.
   • We have notified law enforcement and the New York State Attorney General.
   • We are offering you [12/24] months of complimentary credit monitoring and identity-theft protection services through [SERVICE PROVIDER].
   – To enroll, visit [URL] and use activation code [CODE] no later than [ENROLL DEADLINE].

4. What You Can Do.
   • Review the “Steps You Can Take to Protect Your Information” section enclosed with this letter.
   • Remain vigilant by monitoring your account statements and credit reports.
   • Place a fraud alert or security freeze as described below.

5. Other Important Information.
   Under federal law you are entitled to one free credit report annually from each of the three nationwide credit reporting agencies. Contact information is provided below.

You may also obtain information from the Federal Trade Commission (“FTC”) about steps to avoid identity theft. The FTC can be reached at 1-877-ID-THEFT (1-877-438-4338) or www.identitytheft.gov.

6. For More Information.
   If you have questions, please call [TOLL-FREE NUMBER] Monday through Friday, [HOURS], or e-mail us at [[email protected]].

We regret any inconvenience this may cause and remain committed to safeguarding your information.

Sincerely,

[NAME]
[TITLE]
[COMPANY NAME]
[ADDRESS]
[PHONE]

ENCLOSURE – STEPS YOU CAN TAKE TO PROTECT YOUR INFORMATION

1. Place a Fraud Alert or Credit Freeze
   You may place a fraud alert by contacting any one of the credit reporting agencies. A fraud alert is free and will stay on your credit file for at least one year. You may also request a credit freeze, which prevents new credit in your name. To place a freeze, contact each credit bureau.

2. Obtain Your Free Credit Report
   Visit www.annualcreditreport.com or call 1-877-322-8228 to order your free annual credit reports.

3. Review Your Accounts
   Carefully review statements and immediately report any suspicious activity to your financial institution.

4. Report Identity Theft
   If you suspect identity theft, file a police report and contact the FTC at www.identitytheft.gov.

COMPLIANCE CHECKLIST (NY – N.Y. Gen. Bus. Law § 899-aa)

✓ Notice timing “without unreasonable delay” and after law-enforcement clearance.
✓ Notification to AG + DOS + NYS Police when ≥ 500 NY residents affected.
✓ Consumer letter contains: (a) Company contact info; (b) categories of data; (c) date(s) of breach; (d) toll-free numbers & CRA addresses; (e) advice to remain vigilant; (f) if SSN involved, identity-theft service offer.
✓ Method of notice satisfies § 899-aa(3) (mail, e-mail per E-SIGN, phone, or substitute).
✓ Record retention of breach documentation for at least five years.