APPENDIXI:Samplebreachnotice:Usernameore-Mailaddress

APPENDIXI:SampleBreachNotice:UserNameorE-MailAddress

[AgencyLetterhead][Date]

[Addressee][MailingAddress]

[City] [State] [ZipCode][Salutation]

Subject: NOTICE OF DATABREACH

WhatHappened? / [Describe what happened in general terms, see examplebelow]
Wearewritingtoyoubecauseofarecentsecurityincidentthatoccurredon[dateofincident] at [name of organization] involving the Online Information SharingPortal(OISP). Our security systems detected an abnormally large number of attemptstoaccess OISP user accounts. The computer generated password guessingactivitywasdesignedtorandomlyguessuserpasswordcombinationsuntilaccountaccessis ultimately achieved. Further investigation revealed that some useraccountpasswordsweresuccessfullyguessedbeforetheactivitywasdetectedandblocked.
WhatInformationWasInvolved? / [Describewhatspecificnotice-triggeringdataelement(s)wereinvolved,seeexamplebelow].
Please note, the information was limited to your user identification (emailaddress),passwordandsecurityquestionsforyourOISPonlineaccount.Thisincidentdidnotinvolvethecompromiseoraccesstoanyotherinformation,suchasSocialSecuritynumber,Driver'sLicensenumber,orfinancialaccountnumberswhichcouldexposeyoutoidentitytheft.However,ifyouusethesameuseridentification,passwordandorsecurityquestionforanyother onlineaccountsthosemaybeatrisk.
What WeAreDoing: / [Noteapologyanddescribewhatstepsyouragencyistaking,hastaken,orwilltake,to investigate the breach, mitigate any losses, and protect against anyfurtherbreaches, see examplebelow]
We regret that this incident occurred and want to assure you that wehaveimplemented additional security controls to minimize the risk associated withthisoccurrenceandtheriskofrecurrence.Theseincludepromptingallsystem userstoupdate their profile and reset their passwords and security questions,andimplementing automated validation at password creation to ensure the useofunique, hard-to-guess passwords, and established limits on the number offailedattempts to access youraccount.
What You CanDo: / To protect against unauthorized access and use of your online account(s),werecommend, if you haven’t already done so, that you immediately changeyourpassword and security questions. Choose a unique, hard-to-guess passwordforeachofyouronlineaccountsandalwayslook forandreportunusualactivityinyouraccounts. A hard-to-guess password contains at least eight characters and isacombinationofupperandlowercaseletters,numbersandspecialcharacters.
OtherImportantInformation: / Enclosure“BreachHelp–ConsumerTipsfromtheCaliforniaAttorneyGeneral”.
ForMoreInformation
: / Formoreinformationaboutonlineprotections,youmayvisittheWebsiteoftheCalifornia Department of Justice, Privacy Enforcement and Protectionat
AgencyContact: / Shouldyouneedanyfurtherinformationaboutthisincident,pleasecontact[nameofthedesignatedagencyofficialoragencyunithandlinginquiries]at[toll-freephonenumber].

[Signature of State Entity Head orDelegate][Title]CaliforniaInformationSecurityOffice

RequirementstoRespondtoIncidentsInvolvingaBreachofPersonalInformation

SIMM5340-C

1

June2016