State Data Breach Notification Letter

Commonwealth of Virginia

Data Breach Notification Packet

(Attorney General & Consumer Notice Templates)

TABLE OF CONTENTS

1. Attorney General Notification Letter Template
2. Consumer Notification Letter Template
3. Attachment A – Sample Identity-Theft Prevention Resources
4. Attachment B – Sample Credit Reporting Agency Contact Sheet

1. ATTORNEY GENERAL NOTIFICATION LETTER TEMPLATE

[LETTERHEAD OF [COMPANY LEGAL NAME]]
[Street Address] | [City, State ZIP] | [Telephone] | [Email]

[Date]

The Honorable [Name of Attorney General]
Office of the Attorney General of Virginia
202 North Ninth Street
Richmond, VA 23219

Re: Notice of Data Breach Pursuant to Va. Code Ann. § 18.2-186.6

Dear Attorney General [Last Name]:

1. INTRODUCTION
   Pursuant to Va. Code Ann. § 18.2-186.6, [Company Legal Name], a [state] [corporation/LLC/etc.] (“Company”), provides this notice regarding a breach of the security of computerized data involving personal information of Virginia residents.

2. INCIDENT OVERVIEW
   a. Date(s) of Incident: [mm/dd/yyyy – mm/dd/yyyy]
   b. Date Breach Determined: [mm/dd/yyyy]
   c. Nature of Incident: [Brief, factual description (e.g., unauthorized access to cloud-based email environment via phishing)].
   d. Type of Personal Information Involved: [✓ Social Security numbers; ✓ driver’s-license numbers; ✓ financial-account numbers, etc.].
   e. Number of Virginia Residents Affected: [Numeric total].
   f. Law-Enforcement Involvement: [Yes/No]. If yes, provide agency name, point of contact, and any requested delay authority.

3. CONTAINMENT & REMEDIATION
   The Company took the following steps upon discovery:
   • Isolated affected systems within [X] hours;
   • Engaged third-party forensic experts on [mm/dd/yyyy];
   • Implemented password resets, multi-factor authentication, and enhanced endpoint detection;
   • Established dedicated call center and credit-monitoring offering for impacted individuals.

4. CONSUMER NOTIFICATION
   a. Notification Method(s): [First-class mail / email per E-SIGN consent / substitute notice].
   b. Notification Timing: Scheduled to commence on or before [mm/dd/yyyy], which is without unreasonable delay from determination of the breach and consistent with any law-enforcement hold.
   c. Sample Notification: Enclosed as Attachment C.

5. OTHER NOTIFICATIONS
   • Consumer Reporting Agencies (because ≥ 1,000 residents affected) were/will be notified on [mm/dd/yyyy].
   • Any relevant federal regulators (e.g., FTC, HHS) were/will be notified as applicable.

6. CONTACT INFORMATION
   Please direct any questions to:
   [Name, Title]
   [Telephone] | [Email]

Respectfully submitted,

[AUTHORIZED SIGNATORY NAME]
[Title]
[Company Legal Name]

2. CONSUMER NOTIFICATION LETTER TEMPLATE

[LETTERHEAD OF [COMPANY LEGAL NAME]]
[Street Address] | [City, State ZIP] | [Toll-Free Hotline] | [Email]

[Date]

[Recipient Name]
[Street Address]
[City, State ZIP]

Subject: IMPORTANT INFORMATION ABOUT YOUR PERSONAL DATA

Dear [Mr./Ms.] [Last Name],

1. WHAT HAPPENED?
   On [mm/dd/yyyy], we discovered that an unauthorized party accessed certain Company systems between [mm/dd/yyyy] and [mm/dd/yyyy]. Upon learning of the incident, we immediately secured our systems, engaged independent cybersecurity experts, and initiated a thorough investigation.

2. WHAT INFORMATION WAS INVOLVED?
   The investigation determined that the following types of your personal information were involved:
   • [Social Security number]
   • [Driver’s-license or state ID number]
   • [Financial-account or payment-card number + any required access code/PIN]
   No passwords or security questions/answers were involved [if applicable].

3. WHAT WE ARE DOING
   • We have contained the incident and enhanced our security protocols, including [describe].
   • We are offering you [12/24] months of complimentary [NAME OF SERVICE] identity-theft protection and credit-monitoring services through [Provider Name]. ‌Instructions to enroll are enclosed.
   • We notified the Virginia Office of the Attorney General and major consumer reporting agencies, as required by law.

4. WHAT YOU CAN DO
   We recommend that you:
   • Enroll in the complimentary identity-protection services.
   • Review the “Steps You Can Take to Protect Your Information” in Attachment A, which includes guidance on obtaining free credit reports, placing fraud alerts, and freezing your credit.
   • Remain vigilant and promptly report any suspicious activity to us and the relevant financial institution.

5. FOR MORE INFORMATION
   If you have questions, please contact our dedicated response team at [Toll-Free Number] between [hours] or visit [website]. ‌When calling, please reference code: [Unique Incident Code].

We regret any inconvenience this incident may cause and remain committed to protecting your information.

Sincerely,

[AUTHORIZED SIGNATORY NAME]
[Title]
[Company Legal Name]

3. ATTACHMENT A – STEPS YOU CAN TAKE TO PROTECT YOUR INFORMATION

1. Review Your Account Statements and Credit Reports
   • Obtain free credit reports at www.AnnualCreditReport.com or 1-877-322-8228.
   • Check for unfamiliar activity and report discrepancies immediately.

2. Fraud Alerts
   • Contact any one of the three nationwide credit bureaus to place a fraud alert; the bureau you contact must notify the others.
   Experian – 888-397-3742
   TransUnion – 800-680-7289
   Equifax – 800-525-6285

3. Credit Freezes
   • A credit freeze restricts access to your credit report. ‌It is free and can be placed online or via telephone with each bureau.

4. Federal Trade Commission & Law Enforcement
   • If you suspect identity theft, file a report with the FTC at IdentityTheft.gov and consider filing a police report.

4. ATTACHMENT B – CONSUMER REPORTING AGENCY CONTACT SHEET

LEGAL FOOTNOTE

This notification is made pursuant to Va. Code Ann. § 18.2-186.6 (2023) and any other applicable federal or state data-breach laws. ‌Nothing in this correspondence constitutes an admission of liability or wrongdoing.