What must the notice say?
The notice must contain the appropriate elements given the facts involved. To be helpful to the recipient, the notice must contain, at a minimum, a clear indication of what happened, what specifically is at risk, and what the recipient can or should consider doing to protect themselves. The Office of Information Security has published a Statewide Information Management Manual (SIMM) document entitled SIMM 5340-C – Requirements to Respond to Incidents Involving a Breach of Personal Information (PDF).
SIMM 5340-C outlines the notification requirements for state agencies, and provides additional instructions and guidance to state agencies in the handling of security incidents involving personal information. State agencies are strongly encouraged to read through SIMM 5340-C in advance of an incident, so they are more prepared to respond to an incident involving personal information if encountered by their agency. The SIMM 5340-C is available on the Statewide Information Management Manual (SIMM) page.