Oklahoma Data Breach Notification Letter Package

(Prepared for immediate attorney customization and issuance)

[// GUIDANCE: This package contains two model letters—one for the Oklahoma Attorney General (“AG Notice”) and one for affected Oklahoma residents (“Consumer Notice”). Both letters track the Oklahoma Security Breach Notification Act, 24 Okla. Stat. §§ 161–166, and incorporate best-practice disclosure elements recommended by the Federal Trade Commission. Bracketed placeholders MUST be completed before issuance. Delete all guidance comments prior to dispatch.]

TABLE OF CONTENTS

1. General Drafting Notes & Compliance Checklist
2. Letter A – Notice to Oklahoma Attorney General
3. Letter B – Notice to Affected Oklahoma Residents

1. GENERAL DRAFTING NOTES & COMPLIANCE CHECKLIST

• Statutory Timing: Provide notice “in the most expedient time possible and without unreasonable delay” after determining a breach has occurred, subject to law-enforcement hold (24 Okla. Stat. § 162(A)).
• Deliver AG Notice contemporaneously with, or prior to, the first consumer mailing.
• If more than 1,000 Oklahoma residents are notified, deliver separate notice to the nationwide consumer reporting agencies.
• Do NOT include in any notice the specific information that was actually compromised (e.g., Social Security numbers). Describe categories only.
• Retain proof of mailing and copies of all final letters for no fewer than five (5) years.
• Consider adding at least 12-months of complimentary credit monitoring where Social Security numbers or driver’s-license numbers were involved.
• Coordinate with cyber-forensics, insurance counsel, and law-enforcement before release.

2. LETTER A – NOTICE TO OKLAHOMA ATTORNEY GENERAL

[COMPANY LETTERHEAD]
[COMPANY STREET ADDRESS] • [CITY, STATE ZIP] • [PHONE] • [E-MAIL]

[DATE]

VIA ELECTRONIC & CERTIFIED MAIL – RETURN RECEIPT REQUESTED

Office of the Oklahoma Attorney General
Attn: Consumer Protection Unit – Data Breach Reporting
313 N.E. 21st Street
Oklahoma City, OK 73105

Re: Security Breach Notification – 24 Okla. Stat. §§ 161–166

Dear Attorney General [NAME]:

1. Incident Overview
   On [DISCOVERY DATE], [COMPANY NAME] (“Company”) identified unauthorized access to its [systems/network] that resulted in a security breach involving “Personal Information,” as that term is defined in 24 Okla. Stat. § 161(4).

2. Date(s) of Breach
   Forensic investigation indicates the intrusion occurred on or about [BREACH START DATE] and was contained on [CONTAINMENT DATE].

3. Affected Population
   The breach involves Personal Information of approximately [NUMBER] Oklahoma residents. No residents of other states were affected / Residents in additional states are being notified under applicable laws [SELECT AS APPLICABLE].

4. Categories of Personal Information Exposed
   • Social Security numbers
   • Driver’s-license or state identification numbers
   • Financial account numbers in combination with access codes
   [ADD / DELETE AS REQUIRED]

5. Breach Discovery & Containment
   • Discovery: [BRIEF SUMMARY]
   • Containment: [BRIEF SUMMARY OF MEASURES TAKEN]

6. Remediation Measures Implemented
   • Engaged independent cyber-forensics firm, [NAME].
   • Reset all user credentials and implemented mandatory multifactor authentication (“MFA”).
   • Hardened network perimeter and deployed 24/7 threat monitoring.
   • Offered 24-month identity-protection services to affected individuals at no charge.

7. Consumer Notice & Timing
   Company will dispatch written notice to affected Oklahoma residents on [MAILING DATE], consistent with 24 Okla. Stat. § 162 and following consultation with law-enforcement. A copy of the consumer notice template is enclosed.

8. Contact Information
   Please direct any questions to:
   • [NAME], [TITLE] – Tel: [PHONE]; E-mail: [EMAIL]
   • Outside Counsel: [LAW FIRM NAME], Attn: [ATTORNEY], Tel: [PHONE]

Respectfully submitted,

[AUTHORIZED SIGNATORY]
[NAME] • [TITLE]
[COMPANY NAME]

Enclosure: Form Consumer Notice

3. LETTER B – NOTICE TO AFFECTED OKLAHOMA RESIDENTS

[COMPANY LETTERHEAD]
[COMPANY STREET ADDRESS] • [CITY, STATE ZIP] • [PHONE] • [WEBSITE]

[DATE]

[INDIVIDUAL NAME]
[STREET ADDRESS]
[CITY, STATE ZIP]

IMPORTANT SECURITY NOTICE

Dear [SALUTATION]:

We are writing to inform you of a data security incident that may have involved your personal information. While we are not aware of any misuse, we want you to understand what happened, the steps we have taken, and how you may protect yourself.

1. What Happened
   On [DISCOVERY DATE], we detected unauthorized access to certain Company systems. Our investigation, conducted with leading cyber-forensics experts, determined that an unauthorized actor accessed data between [BREACH START DATE] and [CONTAINMENT DATE].

2. What Information Was Involved
   The information at risk for you may have included one or more of the following:
   • Your name
   • [CATEGORIES: Social Security number, driver’s-license number, financial-account information, date of birth, etc.]
   Please note we have no evidence that any of this information has been misused.

3. What We Are Doing
   • Immediately contained the incident and implemented enhanced security measures, including multi-factor authentication and 24/7 network monitoring.
   • Notified federal and state law-enforcement, and are cooperating fully.
   • Offering you [12/24] months of complimentary identity-monitoring and fraud-resolution services through [VENDOR NAME]. These services include credit monitoring, a $1 million identity-theft insurance policy, and fraud-resolution support. Instructions for activation appear in Section 5 below.

4. What You Can Do
   We recommend you:
   a. Remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your credit reports.
   b. Consider placing a fraud alert or security freeze on your credit files.
   c. Enroll in the complimentary identity-monitoring service described below.

5. How to Enroll in Complimentary Identity-Monitoring
   • Visit: [URL]
   • Enrollment Code: [UNIQUE CODE]
   • Deadline: [ENROLLMENT DEADLINE DATE]

6. Additional Resources
   You may contact the major consumer reporting agencies as follows:
   • Equifax: 888-766-0008 | P.O. Box 105069, Atlanta, GA 30348
   • Experian: 888-397-3742 | P.O. Box 9554, Allen, TX 75013
   • TransUnion: 800-680-7289 | P.O. Box 2000, Chester, PA 19016

For more information on identity theft, you may visit the Federal Trade Commission at www.identitytheft.gov or call 1-877-ID-THEFT (1-877-438-4338).

7. For More Information
   If you have any questions, please contact our dedicated call center at [TOLL-FREE NUMBER] Monday through Friday, 8 a.m. – 8 p.m. Central Time, or email [EMAIL ADDRESS].

We regret any concern or inconvenience this incident may cause you and remain committed to safeguarding your information.

Sincerely,

[AUTHORIZED SIGNATORY]
[NAME] • [TITLE]
[COMPANY NAME]

[// GUIDANCE: Delete this page before issuance]

QUICK REFERENCE—MINIMUM CONTENT ELEMENTS FOR OKLAHOMA

✓ Incident date & discovery date
✓ Description of categories of Personal Information affected
✓ Company contact information
✓ Toll-free numbers & addresses for credit reporting agencies
✓ Information on fraud alerts/security freezes
✓ Statement urging vigilance against identity theft

End of Template