Most states, the District of Columbia, Puerto Rico and the US Virgin Islands have enacted data breach notification laws requiring businesses to notify affected individuals (customers, clients, patients, employees) when a data breach involving their personally identifiable information (also referred to as PII) occurs.  However, not all security incidents are considered breaches under each state’s data breach notification law.  An analysis in accordance with the incident response plan may be necessary to determine if a security incident requires notification under the applicable state’s breach notification law (as a reference, please see Map of U.S. State Data Breach notification Statutes).

This notification letter template serves for a business to notify affected individuals of a data security breach involving their personal information.  This letter has integrated notes with important explanations and drafting tips. This template was written by Foley & Lardner for reference/educational purposes.

CSG strongly suggests that you consult with legal counsel to assist in the breach notification process.