Breach Notification Letters (U.S.): Fill-in-the-Blank Templates You Can Send Today
Executive snapshot
Purpose: A practical, copy-and-paste pack of fill-in-the-blank breach notification letters that non-experts can run on day one. Templates cover general multi-state notices, California-style notices, HIPAA/HITECH, FTC Safeguards Rule (GLBA), FTC Health Breach Notification Rule (PHR apps), SEC 8-K Item 1.05, state Attorneys General, media, vendors→clients and law-enforcement delay.
Replace bracketed fields like [INCIDENT_DATE], [AFFECTED_COUNT]. Keep plain language, avoid security detail that increases risk, and log proof of delivery.
Quick Guide — How to use these templates (non-lawyers, first 24–72h)
1) Populate your incident facts
- What happened: brief timeline + how discovered ([WHAT_HAPPENED]).
- Data types: e.g., names, SSN, medical, financial ([DATA_TYPES]).
- Population: [AFFECTED_COUNT], residents by state.
- Containment: when blocked, mitigations ([MITIGATIONS]).
- Contact: hotline, email, website ([CONTACT_CHANNELS]).
2) Pick the letter(s)
- General consumer for most states.
- California-style when residents in CA are affected.
- HIPAA if unsecured PHI of patients is involved.
- GLBA / FTC if a “financial institution” under the FTC Safeguards Rule.
- PHR apps if you’re a health app/vendor outside HIPAA (FTC HBNR).
- SEC 8-K if you’re a U.S. public company facing a material cyber incident.
3) Check deadlines (illustrative)
| Regime | Outer deadline | Visual meter |
|---|---|---|
| HIPAA individuals & media | “Without unreasonable delay” ≤ 60 calendar days | |
| HHS (≥500 individuals) | ≤ 60 days from discovery (contemporaneous with individual notice) | |
| FTC Safeguards (GLBA) | FTC ≤ 30 days (≥500 consumers) | |
| SEC 8-K Item 1.05 | ≤ 4 business days after materiality determination | |
| California residents | General rule: without unreasonable delay; statutory 30-day deadline effective 2026-01-01 |
Many states also require notifying the Attorney General and, if SSNs were breached, offering free credit monitoring for specified periods (e.g., MA, CT). Always verify the exact state rule set.
Send sequence tip: If law enforcement requests a delay, document that request and use the Law-Enforcement Delay template. For HIPAA, you may additionally need a Media Notice (≥500 residents of a state/jurisdiction).
Merge-field glossary (use consistently across letters)
[INCIDENT_DATE], [DISCOVERY_DATE], [AFFECTED_COUNT], [STATES_IMPACTED], [DATA_TYPES], [WHAT_HAPPENED], [MITIGATIONS], [WHAT_YOU_CAN_DO] (credit freeze, MFA, password resets), [CREDIT_MONITORING_VENDOR], [CM_DURATION], [CONTACT_CHANNELS], [COMPANY_NAME], [LEGAL_ENTITY], [ADDRESS], [CITY_STATE_ZIP], [HOTLINE_HOURS].
Templates (copy, fill, send)
1) General Consumer Notice (Multi-State)
Subject: Notice of Data Breach Dear [NAME], We are writing to let you know about a data security incident at [COMPANY_NAME] discovered on [DISCOVERY_DATE]. What happened. On [INCIDENT_DATE], we detected [WHAT_HAPPENED] affecting certain systems. We contained the incident and took steps to prevent recurrence, including [MITIGATIONS]. What information was involved. The event may have involved your [DATA_TYPES]. We have no evidence of fraud or identity theft resulting from this incident at this time; however, we encourage you to remain vigilant. What you can do. [WHAT_YOU_CAN_DO] We are offering complimentary [CM_DURATION] of credit monitoring and identity theft protection through [CREDIT_MONITORING_VENDOR]. To activate, visit [ENROLL_URL] and use code [ENROLL_CODE] by [ENROLL_DEADLINE]. What we are doing. We secured accounts, reset credentials where appropriate, engaged third-party forensic experts, and notified law enforcement and relevant regulators as required. We have enhanced monitoring, MFA, and network segmentation. Questions? Contact us at [CONTACT_CHANNELS] (hours: [HOTLINE_HOURS]). Our mailing address is [ADDRESS], [CITY_STATE_ZIP]. Sincerely, [LEGAL_ENTITY] (“[COMPANY_NAME]”)
2) California-Style Consumer Notice (standard headings)
Use these headings and plain language when notifying California residents. Submit a sample to the California Attorney General if ≥500 CA residents are notified from a single event.
Subject: Notice of Data Breach [WHAT HAPPENED?] On [DISCOVERY_DATE], we learned that [WHAT_HAPPENED]. We contained the incident on [CONTAINMENT_DATE]. [WHAT INFORMATION WAS INVOLVED?] Your [DATA_TYPES] may have been involved. [WHAT WE ARE DOING] We took steps including [MITIGATIONS] and notified law enforcement and regulators where required. [WHAT YOU CAN DO] Consider placing a fraud alert or security freeze and monitoring your accounts. We are offering [CM_DURATION] of no-cost credit monitoring via [CREDIT_MONITORING_VENDOR] (enroll by [ENROLL_DEADLINE] at [ENROLL_URL] with code [ENROLL_CODE]). [FOR MORE INFORMATION] [CONTACT_CHANNELS] (hours: [HOTLINE_HOURS]). Mailing: [ADDRESS], [CITY_STATE_ZIP].
3) HIPAA Patient Notice (Unsecured PHI)
Subject: Important Notice About Your Health Information Dear [NAME], We are contacting you because of a breach of unsecured protected health information (PHI). On [DISCOVERY_DATE], we determined that [WHAT_HAPPENED] occurred on/about [INCIDENT_DATE]. PHI involved. Your PHI may have included: [DATA_TYPES], such as [e.g., name, address, date of birth, medical record number, diagnosis]. Steps you should take. Please review Explanation of Benefits statements and contact your insurer about any services you did not receive. Consider placing a fraud alert or security freeze with credit bureaus if SSNs were involved. See www.annualcreditreport.com. What we are doing. We immediately secured the environment, rotated credentials, enabled additional monitoring, and retained external forensic experts. We are offering [CM_DURATION] of free credit monitoring via [CREDIT_MONITORING_VENDOR]. We reported this incident to the U.S. Department of Health and Human Services and, if applicable, to major media outlets, as required. Questions? Contact our HIPAA Privacy Office at [CONTACT_CHANNELS]. Sincerely, [HIPAA Covered Entity Name]
4) HIPAA Media Notice (≥500 residents of a state or jurisdiction)
FOR IMMEDIATE RELEASE – [DATE] [Covered Entity] Announces Data Security Incident Involving Certain Patients [City, State] — [Covered Entity] has announced a data security incident discovered on [DISCOVERY_DATE]. The incident may have involved unsecured protected health information for approximately [AFFECTED_COUNT] residents of [STATE/JURISDICTION]. Upon discovery, we took immediate steps to secure systems and began notifying affected individuals. Potentially involved PHI includes [DATA_TYPES]. We have no indication of identity theft at this time. We have notified the U.S. Department of Health and Human Services and are offering [CM_DURATION] of complimentary credit monitoring. Individuals seeking additional information may call [CONTACT_CHANNELS] (hours: [HOTLINE_HOURS]).
5) HHS Notification Summary (for your internal submission checklist)
HHS/OCR breach portal submission items (≥500 individuals within 60 days; <500 by March 1 for prior year): • Covered entity and business associate(s) • Breach dates & discovery date • Approximate number of individuals & states • Breach location / type (e.g., email, paper, network server) • Data elements (e.g., name, SSN, medical, clinical) • Notice method/dates to individuals & media (if applicable) • Mitigations & safeguards in place
6) FTC Safeguards Rule (GLBA) — Notification to FTC (≥500 consumers)
Subject: Safeguards Rule Notification Event — [LEGAL_ENTITY] To the Federal Trade Commission: Pursuant to 16 C.F.R. Part 314, §314.4(j), [LEGAL_ENTITY] reports a notification event involving unauthorized acquisition of unencrypted customer information of approximately [AFFECTED_COUNT] individuals. Discovery date: [DISCOVERY_DATE]. Nature and scope: [WHAT_HAPPENED]. Data types: [DATA_TYPES]. Mitigations implemented: [MITIGATIONS]. We will update this report if material facts change. Point of contact: [NAME, TITLE, EMAIL, PHONE]. Sincerely, [AUTHORIZED SIGNER]
7) FTC Health Breach Notification Rule — Consumers + FTC + Media (PHR Vendors)
Subject: Notice of Breach of Security Involving Health Data Dear [NAME], we determined on [DISCOVERY_DATE] that unauthorized access to our personal health record service occurred on [INCIDENT_DATE]. Information potentially involved: [DATA_TYPES]. We have secured accounts, rotated keys, and engaged outside experts. Your options. Consider password resets, enabling MFA, and reviewing third-party app access. We are offering [CM_DURATION] of free monitoring through [CREDIT_MONITORING_VENDOR]. Enroll by [ENROLL_DEADLINE] at [ENROLL_URL] using code [ENROLL_CODE]. We have provided notice to the Federal Trade Commission and, because this breach involves ≥500 residents of [STATE/JURISDICTION], we are issuing a media notice. Questions? [CONTACT_CHANNELS].
8) SEC Form 8-K Item 1.05 (Public Companies) — Drafting Outline
Item 1.05 Material Cybersecurity Incidents. On [DATE OF MATERIALITY DETERMINATION], [REGISTRANT] determined that a cybersecurity incident was material. The incident, discovered on [DISCOVERY_DATE], involved [NATURE/SCOPE/TIMING], and [MATERIAL IMPACT OR LIKELY IMPACT] on the registrant, including [e.g., business operations, financial condition, results of operations]. The registrant has [REMEDIATION STEPS]. The investigation is ongoing, and the registrant may provide additional information in future filings as appropriate. Forward-Looking Statements [if used] …
9) State Attorney General (sample transmittal)
Subject: Data Breach Notice — [LEGAL_ENTITY] — [EVENT_ID] Dear Office of the Attorney General: Pursuant to [STATE STATUTE], [LEGAL_ENTITY] submits this notice regarding a breach discovered on [DISCOVERY_DATE] affecting approximately [AFFECTED_COUNT] residents of [STATE]. Consumer notification commenced on [FIRST_MAILING_DATE]. A sample notice is attached. • Incident summary: [WHAT_HAPPENED] • Data types: [DATA_TYPES] • Measures taken: [MITIGATIONS] • Credit monitoring offered: [CM_DURATION] via [CREDIT_MONITORING_VENDOR] • Contact point: [PRIVACY_OFFICER], [EMAIL], [PHONE] Sincerely, [AUTHORIZED SIGNER]
10) Service Provider → Client (Contractual Notice)
Subject: Contractual Security Incident Notice under [AGREEMENT_NAME] Dear [CLIENT_NAME], under Section [X] of the [AGREEMENT_NAME], we notify you that on [DISCOVERY_DATE] we learned of [WHAT_HAPPENED] affecting systems that process [CLIENT_NAME] data. We took immediate steps to contain and investigate. The event may have involved [DATA_TYPES]. We will provide rolling updates every [INTERVAL] and will not notify any third parties without your written instructions except where required by law. Primary contact: [NAME, TITLE, PHONE, EMAIL].
11) General Media Statement (when statute requires media notice)
[City, State] — [COMPANY_NAME] detected a data security incident on [DISCOVERY_DATE]. We have notified affected individuals, law enforcement, and regulators as required. The incident may have involved [DATA_TYPES]. We are offering [CM_DURATION] of complimentary credit monitoring via [CREDIT_MONITORING_VENDOR]. Consumers with questions can contact [CONTACT_CHANNELS].
12) Law-Enforcement Delay Request (for your records)
To: [AGENCY / OFFICIAL NAME] Re: Request to Delay Breach Notifications Concerning [EVENT_ID] Pursuant to applicable law, we request written confirmation that immediate notification to individuals/regulators would impede an investigation or harm national security. Please specify the requested delay period and scope. Contact: [NAME, TITLE, PHONE, EMAIL]. Signed, [AUTHORIZED SIGNER]
Who receives notice? (at a glance)
| Scenario | Individuals | Regulator | Media | Notes |
|---|---|---|---|---|
| General consumer data (multi-state) | Yes | Often State AG / consumer affairs (thresholds vary) | Sometimes (state-specific) | Use plain language; some states require credit monitoring if SSN involved. |
| California residents | Yes (plain headings) | AG gets sample if ≥500 residents; from 2026, 30-day deadline | Sometimes | Follow “Notice of Data Breach” format. |
| HIPAA unsecured PHI | Yes (≤60 days) | HHS/OCR (timing depends on count) | Yes if ≥500 residents of a state/jurisdiction | BA must notify Covered Entity promptly. |
| Financial institutions (GLBA/Safeguards) | Maybe (under state laws) | FTC ≤30 days if ≥500 consumers | No | Report content per §314.4(j). |
| PHR apps (FTC HBNR) | Yes | FTC | Yes if ≥500 residents of a jurisdiction | Applies outside HIPAA. |
| Public company (SEC) | N/A | SEC (Form 8-K Item 1.05) | Public filing | 4 business days after materiality determination. |
Credit Monitoring — quick reference
If SSNs were exposed, several states require no-cost credit monitoring in the notice package (e.g., MA ≥18 months; CT ≥24 months). Use the fields [CM_DURATION] and [CREDIT_MONITORING_VENDOR] in applicable templates.
Massachusetts (example)
- Offer ≥18 months (≥42 months if the breached entity is a consumer reporting agency).
- Include enrollment info in the notice; regulators also receive specific details.
Connecticut (example)
- Offer ≥24 months for SSN/TIN breaches; notify AG; 60-day outer limit (unless shorter under federal law).
- Provide clear sign-up instructions and horizon date.
Implementation checklist (attach to your incident runbook)
- 🗂️ Build state-by-state addenda (deadlines, AG contacts, media thresholds).
- 🕒 Track legal clocks per regime; stop the clock only with a documented law-enforcement delay.
- ✉️ Keep proof of delivery: mail certificates, email logs, website postings, hotline recordings.
- 🔐 Offer credit monitoring where required; pre-negotiate vendor contracts.
- 🧪 Recordable decisions: harm tests, materiality assessments, encryption status.
- 📣 Prepare FAQs and call scripts that mirror the letter content.
- 📜 Preserve investigation artifacts for regulators and potential litigation.
FAQ (for your website / call center)
- How did this happen? We investigated an unauthorized access event on [DISCOVERY_DATE] and contained it on [CONTAINMENT_DATE].
- What information was involved? Potentially [DATA_TYPES]. We will notify you if we identify additional details.
- Am I at risk of identity theft? Risk varies by data type. We recommend credit monitoring, fraud alerts, and vigilance.
- Is my password safe? If credentials were involved, we reset passwords and recommend enabling MFA.
- What credit monitoring is offered? [CM_DURATION] via [CREDIT_MONITORING_VENDOR], at no cost, with enrollment by [ENROLL_DEADLINE].
- Did you notify regulators? Yes, where required (e.g., HHS, FTC, State AGs, SEC for public companies).
- Will you pay for identity restoration? Yes, if part of the monitoring package. See enrollment materials.
- How will I get updates? We’ll post updates at [STATUS_URL] and on our hotline [CONTACT_CHANNELS].
- Can I opt out of letters? Legal notice is required by law; however, preferences for future communications can be managed at [PREF_URL].
- Where can I learn more? Federal/State resources on credit freezes, fraud alerts, and identity protection are linked on [RESOURCE_URL].
Technical / legal basis (concise)
- HIPAA/HITECH 45 C.F.R. §§164.400–414: notify individuals ≤60 days; HHS timing varies by count; media if ≥500 residents of a state/jurisdiction; BA→CE notice.
- FTC Safeguards Rule 16 C.F.R. Part 314: notify the FTC ≤30 days of discovery if ≥500 consumers’ information is involved.
- FTC Health BNR 16 C.F.R. Part 318: PHR vendors (non-HIPAA) notify consumers, FTC, and media for ≥500 residents.
- SEC 8-K Item 1.05: disclose material cyber incidents within 4 business days after the materiality determination.
- State laws: All U.S. states + DC + territories require consumer notice; some require AG notice and credit-monitoring (e.g., MA ≥18 months; CT ≥24 months). California adds a standardized format and (effective 2026-01-01) a 30-day deadline.
Important: This pack provides operational templates and general information. It does not constitute legal advice and does not create an attorney-client relationship. Data breach laws vary and evolve quickly. Consult qualified counsel about your facts, sector, and jurisdictions before sending notices.