State Data Breach Notification Letter

TEMPLATE – TENNESSEE DATA BREACH NOTIFICATION PACKAGE

TABLE OF CONTENTS

1. AG Notice Cover Letter
2. Statutory Consumer Notice
3. Attachment A – Recommended Identity-Theft Protection Steps
4. Attachment B – Contact Information for Nationwide Consumer Reporting Agencies

1. ATTORNEY GENERAL NOTICE COVER LETTER (OPTIONAL)

NOTICE OF DATA BREACH
[COMPANY LEGAL NAME]
[STREET ADDRESS] • [CITY, ST ZIP] • [PHONE]
E-mail: [EMAIL] • Website: [URL]

Date: [DATE]

VIA CERTIFIED MAIL & E-MAIL
The Honorable [NAME], Attorney General & Reporter
Office of the Tennessee Attorney General
P.O. Box 20207
Nashville, TN 37202-0207
E-mail: [AG CYBERSECURITY CONTACT, if available]

Re: Data Security Incident Involving Tennessee Residents – Notice Pursuant to Tenn. Code Ann. § 47-18-2107

Attorney General [LAST NAME]:

[1] Identity of Reporting Entity
[COMPANY LEGAL NAME], a [STATE] [CORPORATION/LLC] (“Company”), writes to inform your office of a data security incident that may have compromised the personal information of certain Tennessee residents.

[2] Incident Description & Discovery
• Date of Breach: [MM/DD/YYYY]
• Date Discovered: [MM/DD/YYYY]
• Type of Incident: [e.g., unauthorized system intrusion via phishing leading to exfiltration of files].
Company’s internal investigation, assisted by third-party cybersecurity professionals, determined that an unauthorized actor had access to certain systems during the period [PERIOD].

[3] Categories of Personal Information Affected
The impacted data may have included one or more of the following as defined in Tenn. Code Ann. § 47-18-2107(a):
• Full name in combination with Social Security number;
• Driver license or state identification number;
• Financial account number with access code/expiration date; and
• [ADD AS APPLICABLE].

[4] Population Impacted
The incident potentially affects approximately [NUMBER] Tennessee residents.

[5] Timing of Notice
Consistent with Tenn. Code Ann. § 47-18-2107(b)–(c), consumer notification letters will be dispatched within forty-five (45) days of discovery of the breach and without unreasonable delay.

[6] Remediation & Protective Measures
Company has:
• Contained and eradicated the threat;
• Implemented multi-factor authentication and enhanced logging;
• Forced credential resets; and
• Offered 12-month complimentary credit monitoring and identity-theft protection to affected individuals.

[7] Consumer Notification & CRA Notice
Enclosed is the form Consumer Notice (Attachment 1). Because the number of individuals exceeds 1,000, Company will simultaneously notify the nationwide consumer reporting agencies as required by Tenn. Code Ann. § 47-18-2107(h). A copy of that CRA notice is available upon request.

[8] Point of Contact
Please direct any questions to:
[NAME, TITLE]
[PHONE] • [EMAIL]

Company remains committed to safeguarding personal information and appreciates your attention to this matter.

Respectfully,

__________________________________
[AUTHORIZED SIGNATORY NAME]
[TITLE]
[COMPANY LEGAL NAME]

2. STATUTORY CONSUMER NOTICE

IMPORTANT NOTICE OF DATA BREACH
Issued by [COMPANY LEGAL NAME]
[STREET ADDRESS] • [CITY, ST ZIP] • [PHONE]

Date: [DATE]
Tennessee Resident: [FIRST NAME LAST NAME]
Notice ID: [UNIQUE NUMBER]

Dear [Mr./Ms.] [LAST NAME]:

1. What Happened?
   On [DISCOVERY DATE], we learned that an unauthorized party accessed certain Company computer systems between [START DATE] and [END DATE]. Upon discovery, we immediately secured our network and engaged leading cybersecurity experts to investigate.

2. What Information Was Involved?
   The information involved may have included your:
   • [LIST EACH DATA ELEMENT IMPACTED]
   To our knowledge, no misuse of your information has been reported.

3. What We Are Doing.
   • Secured the environment and strengthened system safeguards;
   • Notified law enforcement where appropriate;
   • Reporting this incident to the nationwide consumer reporting agencies as required; and
   • Offering you 12 months of complimentary credit monitoring and identity-theft protection services through [SERVICE PROVIDER].
   – Your activation code: [CODE]
   – Enrollment deadline: [MM/DD/YYYY]

4. What You Can Do.
   Please review the “Steps You Can Take to Protect Your Information” in Attachment A and consider activating the complimentary credit monitoring service. You should also remain vigilant, review account statements, and monitor your credit reports.

5. For More Information.
   If you have questions, please contact our dedicated response line at [TOLL-FREE NUMBER], Monday–Friday, [HOURS], or e-mail us at [EMAIL].

We regret any inconvenience and take your privacy seriously.

Sincerely,

__________________________________
[AUTHORIZED SIGNATORY NAME]
[TITLE]
[COMPANY LEGAL NAME]

3. ATTACHMENT A – STEPS YOU CAN TAKE TO PROTECT YOUR INFORMATION

1. Activate Complimentary Credit Monitoring
   Visit [URL] or call [PHONE] and provide activation code [CODE] by [DEADLINE].

2. Monitor Your Credit Reports
   Obtain free annual credit reports at www.AnnualCreditReport.com or 1-877-322-8228.

3. Fraud Alert & Security Freeze
   You may place a fraud alert or security freeze on your credit files. Contact information for the three nationwide consumer reporting agencies is provided in Attachment B.

4. Remain Vigilant
   Review account statements and promptly report suspicious activity to the relevant institution.

5. Identity Theft Resources
   Visit the FTC’s website at www.IdentityTheft.gov or call 1-877-ID-THEFT for guidance.

4. ATTACHMENT B – CONSUMER REPORTING AGENCY CONTACT DETAILS

• Equifax – www.equifax.com • 1-888-378-4329
• Experian – www.experian.com • 1-888-397-3742
• TransUnion – www.transunion.com • 1-800-680-7289

KEY STATUTORY REFERENCES

Tenn. Code Ann. § 47-18-2107 (data breach notification requirements, including 45-day outside deadline and CRA notice obligation when more than 1,000 residents are affected).

DISCLAIMER & RESERVATION OF RIGHTS

This notice is provided pursuant to Tennessee law and any other applicable data-breach statutes. Nothing herein shall be construed as an admission of liability, wrongdoing, or non-compliance, and Company expressly reserves all defenses and legal rights.