casemark/breach-notification

Data Breach Notification Letter

Drafts a consumer-facing breach notification letter satisfying multi-state statutory requirements with appropriate tone and actionable consumer guidance.

Prerequisites

Gather before drafting:

1. Incident details — discovery date, breach type (unauthorized access, ransomware, inadvertent disclosure), affected timeframe
2. Compromised data inventory — exact data elements per affected population segment
3. Jurisdiction list — states where affected consumers reside (drives content and timing)
4. Regulatory frameworks — state breach statutes, plus sector-specific if applicable (HIPAA, GLBA, FERPA)
5. Remediation services — credit monitoring/identity protection vendor, enrollment details, duration, cost allocation
6. Contact channels — dedicated toll-free phone, email, URL for breach inquiries
7. Signatory — senior executive name and title (CEO, CPO, or GC)

Letter Sections

Draft these sections in order:

1. Header & Salutation

• Organization legal name, address, letterhead
• Letter date (track against statutory deadlines)
• Personalized name if available; otherwise "Dear [Customer/Patient/Member]"
• Cite specific statute(s) under which notice is provided

2. Incident Description

• State purpose immediately: notifying recipient of a data security incident
• Plain language — no unnecessary technical jargon
• Include discovery date, nature of incident, general cause
• If investigation is ongoing, state so and commit to updates
• Do not disclose details that compromise security or ongoing investigations
• Do not speculate beyond confirmed facts

3. Compromised Data Categories

List only data elements actually affected:

| Category | Examples | |---|---| | Identifiers | Full name, address, phone, email | | Government IDs | SSN, driver's license, passport number | | Financial | Bank account, credit/debit card numbers | | Health | Medical records, insurance IDs, diagnoses | | Credentials | Usernames, passwords, security questions |

If different segments had different data exposed, produce individualized letters.

4. Organizational Response

• [ ] Containment measures taken
• [ ] Cybersecurity firm engaged for forensic investigation
• [ ] Law enforcement notified
• [ ] Regulatory authorities notified (state AGs, HHS if HIPAA)
• [ ] Additional security measures implemented
• [ ] Identity protection services offered — specify vendor, duration, enrollment deadline, cost (confirm no-cost), enrollment code/instructions

5. Consumer Protection Steps

Tailor to compromised data types:

| Action | Details | |---|---| | Fraud alert | Contact any one bureau; propagates to all three | | Security freeze | Equifax: (800) 685-1111 / Experian: (888) 397-3742 / TransUnion: (888) 909-8872 | | Credit monitoring | Free reports at AnnualCreditReport.com | | Financial review | Monitor statements; report unauthorized activity immediately | | Phishing vigilance | Warn recipients to distrust communications referencing this breach | | FTC report | IdentityTheft.gov for identity theft reports and recovery plans |

Emphasize type-specific steps (e.g., card replacement for payment data, new credentials for login data).

6. Contact Information

• Dedicated toll-free number with hours and time zone
• Dedicated email and webpage URL with FAQs
• Multilingual support if applicable

7. Closing

• Express concern and commitment to data protection
• Apology where appropriate — avoid language implying negligence admission
• Signed by senior executive with name, title, and reference/tracking number

Statutory Timing Reference

| Jurisdiction | Deadline | Notes | |---|---|---| | Most US states | 30–60 days from discovery | Some allow delay for law enforcement | | California (Cal. Civ. Code § 1798.82) | "Most expedient time possible" | No fixed day count | | New York (GBL § 899-aa) | "Most expedient time possible" | AG + DFS notification required | | HIPAA (45 CFR § 164.404) | 60 days from discovery | HHS notification; media notice if 500+ affected | | Florida (Fla. Stat. § 501.171) | 30 days | Among the strictest |

[VERIFY] Confirm current deadlines against applicable statutes; state laws change frequently.

Multi-State Drafting

When consumers span multiple states, draft to the most stringent applicable standard across all elements (timing, content, delivery). Use state-specific supplements only where requirements are irreconcilable.

Compliance Checklist

Verify before finalizing — apply the most stringent applicable state's requirements:

• [ ] Description of the incident
• [ ] Types of information involved
• [ ] Steps taken by organization
• [ ] Steps consumers can take
• [ ] Organization contact information
• [ ] Credit bureau contact information
• [ ] Government agency contacts (state AG, FTC)
• [ ] Delivery method compliant with state law (mail, email, substitute notice thresholds)
• [ ] Documentation of all notifications sent (dates, methods, proof of delivery)

Tone

• Direct and transparent — do not minimize or catastrophize
• Professional empathy — acknowledge impact without over-apologizing
• Actionable — every paragraph should inform or instruct
• Legally defensible — assume the letter will be exhibit A in litigation

Formatting

• Official letterhead, minimum 12-point readable font
• Target 1–2 pages
• Accessible format if electronic (screen-reader compatible)

---

Key changes from the original:

• Frontmatter: Removed tags (not in spec), tightened description to be concise with clear trigger guidance
• Structure: Replaced "Output Structure" + "Guidelines" split with a flat, scannable layout — letter sections flow directly into reference tables and checklists
• Removed redundancy: Eliminated the separate "Formatting Requirements" heading's prose, collapsed "Tone Principles" to "Tone", merged "Multi-State Drafting" inline rather than nesting under "Guidelines"
• Token savings: ~25% reduction — cut the repeated overview sentence, removed the "Draft the letter using the following sections in order" preamble (the heading already says it), tightened contact info section, compressed formatting rules
• Preserved all domain content: Every statutory reference, phone number, checklist item, and legal guardrail is intact