Commonwealth of Pennsylvania
Data Breach Notification Letter Template
(Prepared for Compliance with the Pennsylvania Breach of Personal Information Notification Act (“Act”))
[// GUIDANCE: This template contains two variants of the same notice—one for the Pennsylvania Office of Attorney General (“OAG”) and one for individual Pennsylvania residents (“Consumer Notice”). Delete the version that does not apply to the intended recipient before use. Cross-check all bracketed placeholders and update as necessary.]
Table of Contents
- Document Header
- Definitions
- Operative Provisions
3.1 Mandatory Statutory Disclosures
3.2 Description of the Incident
3.3 Categories of Personal Information Involved
3.4 Measures Taken by the Company
3.5 Protective Measures Available to the Recipient - Additional Statutory Notices & Resources
- Contact Information
- Reservation of Rights & Disclaimers
- Execution Block
1. DOCUMENT HEADER
Date: [DATE]
To:
• Variant A – OAG Notice:
Office of Attorney General – Bureau of Consumer Protection
Strawberry Square, 16th Floor
Harrisburg, PA 17120
• Variant B – Consumer Notice:
[FIRST NAME LAST NAME]
[STREET ADDRESS]
[CITY], [STATE] [ZIP]
From: [LEGAL NAME OF COMPANY] (the “Company”)
[COMPANY STREET ADDRESS]
[COMPANY CITY, STATE ZIP]
[COMPANY TELEPHONE] • [COMPANY EMAIL]
Subject: Notice of Data Security Incident (Pennsylvania)
2. DEFINITIONS
For purposes of this Notice:
“Act” means the Pennsylvania Breach of Personal Information Notification Act, as amended.
“Breach” or “Data Security Incident” means the unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of Personal Information.
“Personal Information” has the meaning assigned under the Act and includes, without limitation, an individual’s first name or first initial and last name, in combination with any one or more of the following data elements when neither the name nor the data elements are encrypted or redacted:
a. Social Security number;
b. Driver’s license number or state identification card number;
c. Financial account number, credit card number, or debit card number (in combination with required access code, PIN, or password);
d. [ADD ANY ADDITIONAL CATEGORIES, IF APPLICABLE].
“Recipient” means either the OAG or the individual Pennsylvania resident receiving this Notice, as context requires.
3. OPERATIVE PROVISIONS
3.1 Mandatory Statutory Disclosures
Pursuant to the Act, the Company provides the following information:
a. The date(s) of the Data Security Incident;
b. The date of discovery;
c. A brief description of the Incident;
d. The categories of Personal Information affected;
e. The measures taken to contain and remediate the Incident;
f. Advice on steps the Recipient may take to protect themselves from identity theft or fraud;
g. Contact information for the Company and relevant consumer-reporting agencies;
h. Whether law enforcement has been notified;
i. A statement regarding any credit monitoring services being offered.
3.2 Description of the Incident
On or about [INCIDENT DATE(S)], the Company identified suspicious activity within its [SYSTEM/NETWORK/APPLICATION] environment. An internal investigation, assisted by independent cybersecurity professionals, determined that an unauthorized third party gained access to certain Company systems between [START DATE] and [END DATE]. During this period, files containing Personal Information of Pennsylvania residents may have been accessed.
3.3 Categories of Personal Information Involved
The investigation confirmed that the following categories of Personal Information relating to [NUMBER] Pennsylvania resident(s) were potentially compromised:
• [e.g., Full name]
• [e.g., Social Security number]
• [e.g., Driver’s license number]
• [e.g., Account number + access code]
[// GUIDANCE: Delete or add items to align with investigation findings.]
3.4 Measures Taken by the Company
Immediately upon discovery, the Company:
1. Isolated affected systems and launched a containment protocol;
2. Engaged leading cybersecurity and forensic experts to investigate;
3. Implemented enhanced security controls, including [MULTI-FACTOR AUTHENTICATION / ENCRYPTION / ETC.];
4. Notified federal, state, and local law-enforcement authorities as required;
5. Is offering impacted individuals [12/24] months of complimentary credit monitoring and identity-theft protection services through [SERVICE PROVIDER].
3.5 Protective Measures Available to the Recipient
The Company recommends that Recipient(s) take the following steps:
• Review account statements and credit reports for suspicious activity;
• Consider placing a fraud alert or security freeze on credit files;
• Remain vigilant for phishing attempts referencing this Incident;
• Enroll in the complimentary credit monitoring service using the activation code below.
Activation Code: [UNIQUE CODE]
Enrollment Deadline: [MM/DD/YYYY]
4. ADDITIONAL STATUTORY NOTICES & RESOURCES
Credit Reporting Agencies (contact to place a fraud alert or security freeze):
• Equifax: 800-525-6285 | P.O. Box 105788, Atlanta, GA 30348-5788 | www.equifax.com
• Experian: 888-397-3742 | P.O. Box 9554, Allen, TX 75013 | www.experian.com
• TransUnion: 800-680-7289 | P.O. Box 2000, Chester, PA 19016 | www.transunion.com
Federal Trade Commission (FTC): www.identitytheft.gov | 1-877-438-4338
5. CONTACT INFORMATION
If you have questions, please contact our dedicated incident-response team:
Toll-Free Hotline: [PHONE] (Mon–Fri, 9 a.m.–9 p.m. ET)
Email: [EMAIL]
Mail: [COMPANY NAME] – Incident Response, [ADDRESS]
6. RESERVATION OF RIGHTS & DISCLAIMERS
The Company reserves all rights, claims, defenses, and privileges under applicable law. Nothing in this Notice shall be construed as an admission of liability or wrongdoing. This Notice is provided solely to comply with the Act and any other applicable data-breach notification laws.
7. EXECUTION BLOCK
Sincerely,
______
[NAME]
[TITLE]
[COMPANY NAME]
[DATE]
OPTIONAL CERTIFICATION FOR OAG NOTICE
[// GUIDANCE: Some entities elect to include a sworn verification for the Attorney General. Consult outside counsel to determine necessity.]
I, [NAME], hereby certify under penalty of perjury that the information contained in this Notice is accurate and complete to the best of my knowledge.
______
[NAME], [TITLE]
Date: [MM/DD/YYYY]
[// GUIDANCE:
1. Statutory Timing – Pennsylvania requires notice “without unreasonable delay” and, for breaches involving more than 500 Pennsylvania residents, contemporaneous notice to the OAG. Insert actual dispatch dates in the “Date” field and maintain documentary evidence.
2. Law-Enforcement Delay – If a law-enforcement agency determines that notification will impede a criminal investigation, obtain written documentation and postpone notice until authorized.
3. Aggregation – If multiple states are implicated, coordinate multistate timing and content requirements to avoid inconsistent disclosures.
4. Credit Monitoring – While not mandated in Pennsylvania, regulators strongly favor offering at least 12 months of services when Social Security numbers are involved.
5. Preserve Evidence – Retain forensic images, logs, and correspondence for at least four (4) years or longer if litigation is anticipated.
]