Ohio Data Breach Notification Letter Package
(Compliant with Ohio Rev. Code Ann. § 1349.19 and best-practice AG courtesy notice)
Table of Contents
- Template AG-1 – Attorney General Notification Letter
- Template CON-1 – Consumer Notification Letter
- Template CRA-1 – Credit Reporting Agency Notification (≥1,000 Ohio Residents)
- Appendix A – Statutory Compliance Checklist & Timing Matrix (internal use only – do not file)
[// GUIDANCE:
1. Replace every bracketed [PLACEHOLDER] with client-specific information.
2. Confirm the breach determination date, law-enforcement hold status, and resident head-count before finalizing.
3. Send AG and CRA notices on or before Day 45 after “determination of breach,” absent an active law-enforcement delay.
4. Maintain proof of transmittal (e-mail receipt, certified mail card, courier log, etc.) for a minimum of four years.
]
TEMPLATE AG-1 – Attorney General Notification Letter
(Courtesy notice; Ohio law does not mandate AG notification. Many organizations provide it to demonstrate transparency and mitigate enforcement risk.)
CONFIDENTIAL – SECURITY NOTIFICATION
Ohio Attorney General [CURRENT NAME]
Consumer Protection Section
30 E. Broad St., 14th Floor
Columbus, OH 43215
Email: [email protected] (confirm current address prior to delivery)
Date: [DATE OF NOTICE]
Re: Notice of Data Breach – Ohio Rev. Code Ann. § 1349.19 Compliance
Dear Attorney General [LAST NAME]:
-
Executive Summary
[COMPANY LEGAL NAME] (“Company”) hereby provides notice that it determined on [DATE OF DETERMINATION] that a “Breach of the Security of the System” (the “Breach”) involving Personal Information of Ohio residents occurred within the meaning of Ohio Rev. Code Ann. § 1349.19(A). -
Incident Description
• Date(s) of Breach: [BREACH DATE RANGE]
• Nature of Incident: [E.G., un-encrypted laptop theft / phishing intrusion / vendor system compromise]
• Attack Vector / Root Cause: [ROOT CAUSE]
• Discovery Method: [INTERNAL AUDIT / THIRD-PARTY ALERT] -
Categories of Personal Information Implicated
Check all that apply (definitions per § 1349.19(A)):
☐ Social Security numbers
☐ Driver’s license / state ID numbers
☐ Financial account numbers (with required access codes)
☐ Medical / health-insurance information
☐ Taxpayer ID numbers
☐ Other: [DESCRIPTION] -
Population Affected
• Total individuals impacted: [TOTAL COUNT]
• Ohio residents: [OH COUNT] (≥1,000? ☐ Yes ☐ No – if Yes, see Template CRA-1) -
Timeline & Notification Actions
• Breach determination: [DATE]
• Law-enforcement consultation (if any): [AGENCY / DATE / CLEAR TO NOTIFY ON [DATE] ]
• Consumer notice commencement: [START DATE – must be ≤ 45 days post-determination absent delay]
• Methods: ☐ First-class mail ☐ Email (per § 1349.19(E)) ☐ Substitute notice (if applicable) -
Remediation & Mitigation Measures
• Immediate containment steps: [PATCHED SYSTEMS / CREDENTIAL RESET]
• Long-term controls: [MFA, ENCRYPTION, POLICY UPDATES]
• Offered services: ☐ 12-month credit monitoring ☐ ID theft insurance ☐ Call-center assistance -
Company Contact
Name/Title: [CONTACT NAME, TITLE]
Telephone: [TOLL-FREE #]
Email: [CONTACT EMAIL] -
Attachments
• Sample Consumer Notice (Template CON-1)
• Sample CRA Notice (if applicable)
• Breach Determination Memo (confidential – AG eyes only)
This notice is provided voluntarily and does not constitute an admission of liability or violation of law. Company respectfully requests that any proprietary or personal information herein be treated as confidential to the maximum extent permitted under Ohio’s public-records statutes.
Sincerely,
[AUTHORIZED SIGNATORY]
[Title]
[Company Legal Name]
TEMPLATE CON-1 – Consumer Notification Letter
IMPORTANT SECURITY NOTICE
[COMPANY LETTERHEAD / LOGO]
[DATE OF MAILING/EMAIL]
Dear [NAME OR “Valued Customer”]:
-
What Happened?
On [DATE OF DETERMINATION], we confirmed that an unauthorized party accessed certain Company systems between [BREACH DATE RANGE]. -
What Information Was Involved?
The information included your [LIST OF DATA ELEMENTS – e.g., name and Social Security number]. Not all Company customers were affected; you are receiving this notice because our records indicate your information was involved. -
What We Are Doing
• We contained the incident, engaged leading cybersecurity experts, and notified law enforcement.
• We enhanced security through [LIST OF REMEDIATION STEPS].
• We are offering you [12/24] months of complimentary credit-monitoring and identity-theft protection through [SERVICE PROVIDER]. Please enroll by [ENROLLMENT DEADLINE] using code [UNIQUE ENROLLMENT CODE]. No payment information is required. -
What You Can Do
• Enroll in the free monitoring service.
• Review the enclosed “Steps You Can Take to Protect Your Information.”
• Remain vigilant by reviewing account statements and monitoring credit reports.
• Place a fraud alert or security freeze if you deem appropriate. -
For More Information
If you have questions, please contact our dedicated call center at [PHONE] (Monday–Friday, 8 a.m.–8 p.m. ET) or email [EMAIL]. Additional resources are listed on page 2.
We regret any inconvenience this incident may cause and remain committed to safeguarding your information.
Sincerely,
[AUTHORIZED SIGNATORY]
[Title]
[Company Legal Name]
Page 2 – Steps You Can Take to Protect Your Information
(Ohio-specific statutory language)
- Order free credit reports at www.annualcreditreport.com or 1-877-322-8228.
- Place a fraud alert by contacting one of the three credit bureaus:
• Equifax 1-888-766-0008 | www.equifax.com
• Experian 1-888-397-3742 | www.experian.com
• TransUnion 1-800-680-7289 | www.transunion.com - Consider a security freeze, which is free under both federal and Ohio law.
- Contact the FTC at www.identitytheft.gov, 1-877-ID-THEFT (438-4338), or write to Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.
TEMPLATE CRA-1 – Credit Reporting Agency Notification
(Required if ≥ 1,000 Ohio residents are notified – § 1349.19(D))
SECURITY BREACH NOTIFICATION – OHIO RESIDENTS
[CREDIT REPORTING AGENCY NAME & ADDRESS]
Date: [DATE]
Pursuant to Ohio Rev. Code Ann. § 1349.19(D), [COMPANY] is today notifying [CREDIT REPORTING AGENCY] that it is providing written notice of a security breach to approximately [OH COUNT] Ohio residents on [NOTICE DATE].
Incident specifics, resident counts, and contact information are set forth below:
• Date(s) of Breach: [DATES]
• Categories of Personal Information: [LIST]
• Resident head-count by state: [STATE COUNTS]
• Company contact for law-enforcement/CRA inquiries: [NAME, TITLE, PHONE, EMAIL]
Please contact us with any questions.
Sincerely,
[Authorized Signatory]
Appendix A – Statutory Compliance Checklist & Timing Matrix
(Internal document – do not file or distribute externally)
| Requirement | Ohio Rev. Code Citation | Responsible Party | Deadline | Status |
|---|---|---|---|---|
| Determine breach scope | § 1349.19(B)(1) | CISO | + 1 day | ☐ |
| Law-enforcement consultation | § 1349.19(C) | Legal | + 2 days | ☐ |
| Resident notice dispatched | § 1349.19(B)(2) | Privacy | ≤ 45 days | ☐ |
| CRA notice (if ≥ 1,000) | § 1349.19(D) | Legal | Same day as resident notice | ☐ |
| AG courtesy notice (best practice) | — | Legal | Align with resident notice | ☐ |
[// GUIDANCE: Maintain this matrix in the incident-response file; update “Status” daily until all items are complete.]