What does I'm Frustrated dot Org do?

We're a group of practicing attorneys who volunteer our time to give people a real, informed perspective on their legal situation before they spend a dime on representation. We provide free, honest legal guidance to help you figure out your next step.

Is I'm Frustrated dot Org a law firm?

No. I'm Frustrated dot Org is not a law firm and does not provide legal representation. No attorney-client relationship is formed through our service. We provide informational guidance only.

How much does it cost to get legal guidance?

Our service is completely free. There is no commitment, no invoice, and no judgment — just an honest conversation with someone who understands the law and wants to help.

How does the process work?

It's simple: (1) You tell us what's going on in plain English. (2) We explain where you stand legally, what your options are, and what questions to ask. (3) You decide what's next — whether that's hiring a lawyer or handling it yourself, you'll be informed.

How do I get in touch?

Email us at info@imfrustrated.org. We'll get back to you and set up a conversation.

Consumer letter template

Data Breach Notice & Free Credit Monitoring Demand (Free Template + State Tiers)

A company you trusted with your Social Security number, card, or login got breached — and you got a vague "we take your privacy seriously" email, or nothing at all. Every state has a breach-notification law that says exactly what they owe you, and several force the company to pay for credit monitoring when your SSN was exposed. This letter demands the full statutory notice and that protection in writing.

Published June 26, 2026Jump to letterHow to useState notesFAQ

the letter

Copy, customize, send.

[Your Full Name]
  [Address]
  [City, State ZIP]
  [Phone] [Email]

  [Date]

  [Company Legal Name — Attn: Privacy Officer / Data Protection Officer / Legal Department]
  [Company Address]

  cc: [Office of the State Attorney General — Consumer Protection Division, if your state required AG notice for this breach]

  Sent via certified mail, return receipt requested

  Re: Demand for Statutory Data-Breach Notice and Free Credit Monitoring — [Breach name or "your [Month Year] data security incident"]

  To the Privacy Officer / Legal Department:

  I am a [customer / account holder / former customer / applicant] of [Company]. I have learned that my personal information held by [Company] was, or may have been, exposed in a data-security breach [discovered / disclosed / reported on or about [Date]]. [Describe how you learned of it: "I received a notice dated [Date]" / "I read [Company]'s public statement of [Date]" / "I was notified by a third-party monitoring service" / "my information appeared in [breach database / news report]."]

  Account / exposure details:
    • My account or relationship: [account number, member ID, email on file, or last 4 of card]
    • Personal information I believe was exposed: [Social Security number / driver's license or state ID number / financial account or card number + access code / username + password / medical or health-insurance information / date of birth / other]
    • Notice received from [Company]: [None to date / a notice dated [Date], copy attached]

  This letter makes three demands under my state's data-breach-notification law: (1) the complete, statutorily-required breach notice if you have not already provided it; (2) free credit monitoring or identity-theft protection for the period my state requires; and (3) written confirmation of what was exposed and what you have done to secure it.

  Legal basis:

  [Pick the tier and the cite that match your state — strike the rest. Every U.S. state has a breach-notification law, so the default tier applies even if your state is not listed.]

    [TIER A — Your state MANDATES free credit monitoring / identity-theft protection when a Social Security number was exposed]
    Because the breach exposed my Social Security number [or taxpayer ID], my state's law requires you to offer me credit monitoring or identity-theft protection services at no cost:
      • California — Cal. Civ. Code § 1798.82(d)(2)(G): if the notifying business "was the source of the breach," it must include "an offer to provide appropriate identity theft prevention and mitigation services ... at no cost to the affected individual for not less than 12 months" where the breach exposed an SSN or driver's license / California ID number.
      • Connecticut — Conn. Gen. Stat. § 36a-701b(b)(2)(B): you must "offer ... appropriate identity theft prevention services and, if applicable, identity theft mitigation services ... at no cost ... for a period of not less than two years" (24 months).
      • Delaware — 6 Del. C. § 12B-102(e): you "shall offer ... credit monitoring services at no cost ... for a period of 1 year."
      • Massachusetts — M.G.L. c. 93H § 3A(a): you must "contract with a third party to offer ... credit monitoring services at no cost ... for a period of not less than 18 months" (42 months if you are a consumer reporting agency). Under § 3A(b) you may not condition that offer on my waiver of any private right of action.
    I demand that you enroll me, or send me the activation code and instructions to enroll myself, in such services for the full statutory period.

    [TIER B — Your state mandates the breach NOTICE and its required contents (and, in some, a private right of action or a reasonable-security duty)]
    Under my state's breach-notification statute, you must provide me a notice in the most expedient time possible and without unreasonable delay [or within your state's hard deadline], and that notice must contain the specific items the statute lists:
      • California — Cal. Civ. Code § 1798.82 (as amended eff. Jan. 1, 2026): notice within 30 calendar days of discovery, and § 1798.82(d)(2) requires the notice to state the name and contact information of the reporting business, the types of personal information breached, the date or estimated date range of the breach, a general description of the incident, and — where an SSN or driver's license / ID number was exposed — the toll-free numbers and addresses of the major credit reporting agencies. Separately, Cal. Civ. Code § 1798.150 gives me a private right of action with statutory damages of "not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater," if this breach resulted from your failure "to implement and maintain reasonable security procedures and practices."
      • New York (SHIELD Act) — N.Y. Gen. Bus. Law § 899-aa(7): the notice must include your contact information, "the telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention and protection information," and a description of the categories of information acquired. N.Y. Gen. Bus. Law § 899-bb separately required you to maintain "reasonable safeguards" to protect my information.
      • Illinois (PIPA) — 815 ILCS 530/10: notice "in the most expedient time possible and without unreasonable delay," including the toll-free numbers and addresses for the consumer reporting agencies, the toll-free number, address, and website for the Federal Trade Commission, and "a statement that the individual can obtain information from these sources about fraud alerts and security freezes." 815 ILCS 530/45 required you to "implement and maintain reasonable security measures."
      • Florida — Fla. Stat. § 501.171(4): individual notice "as expeditiously as practicable and without unreasonable delay ... but no later than 30 days" after you determined a breach occurred.
      • Texas — Tex. Bus. & Com. Code § 521.053(b): notice "without unreasonable delay and in each case not later than the 60th day after the date on which [you] determine[d] that the breach occurred."

    [TIER C — Default: every other state]
    Every U.S. state — and the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands — has a data-breach-notification statute requiring a company that owns or licenses computerized personal information to notify affected residents after a breach, without unreasonable delay, and to include specified contents (the categories of information exposed, the date or date range, the company's contact information, and resources for protecting against identity theft). Under [your state's breach-notification statute — see your Attorney General's website], I am entitled to that notice in full, and I request that you provide free credit monitoring as the standard remedy for an SSN exposure.

  Demand:

  Within [30] days of receipt of this letter, please provide all of the following in writing:
    1. The complete statutory breach notice, including every content element my state's law requires (above), if you have not already sent it;
    2. A plain statement of exactly which of my personal data elements were exposed, the date or date range of the breach, and when you discovered it;
    3. Enrollment — or an activation code and instructions for me to enroll — in free credit monitoring or identity-theft protection for the full period my state requires [12 / 18 / 24 months], at no cost to me and with no waiver of any legal claim as a condition;
    4. Confirmation of the remediation steps you have taken to secure my information and prevent recurrence;
    5. Confirmation of whether you notified my state Attorney General [or other required regulator], and the date you did so.

  If you do not, I will:
    • File a complaint with my state Attorney General's Consumer Protection Division and with the Federal Trade Commission at reportfraud.ftc.gov / IdentityTheft.gov;
    • Pursue any statutory remedy available to me, including [California consumers: a private action under Civ. Code § 1798.150 for statutory damages of $100–$750 per incident; other states: the penalties and enforcement provided by my state's breach-notification and consumer-protection statutes];
    • Place a security freeze on my credit files and document this breach as the cause of any resulting fraud.

  I have already taken protective steps and recommend nothing about this should be read as a waiver of any right or claim.

  Sincerely,

  [Your Signature]
  [Your Printed Name]

  Enclosures: [copy of any breach notice you received; copy of an account statement or ID confirming your relationship with the company; any correspondence to date]

This template is for informational use only. It is not legal advice and does not create an attorney-client relationship. Square-bracketed placeholders must be replaced with your specific facts. State law and procedural details vary; if your situation is urgent, complicated, or high-stakes, email info@imfrustrated.org for a free conversation with a volunteer attorney before you send it.

how to use it

A few things before you send.

1Send by certified mail with return receipt requested to the company's privacy officer, data protection officer, or legal department (check the breach notice or the company's privacy policy for the address). The return receipt proves delivery and the date — which matters because most breach statutes run their deadlines from the date the company discovered or determined the breach, and your letter documents that the clock is running.
2Pin down which data elements were exposed before you pick your tier. The single biggest lever is whether your Social Security number (or, in some states, your taxpayer ID or driver's license number) was in the breach. SSN exposure is what triggers the mandatory free-credit-monitoring statutes in California, Connecticut, Delaware, and Massachusetts. If only an email and password leaked, you are still owed notice everywhere, but the monitoring mandate may not apply.
3Pick your state tier by where YOU live, not where the company is headquartered — breach-notification laws protect the resident. Tier A (CA, CT, DE, MA) forces free monitoring for SSN breaches for a set period (12/24/12/18 months respectively). Tier B (CA, NY, IL, FL, TX and most others) guarantees a detailed notice and, in California, a private right of action with $100–$750 statutory damages. Tier C is the everywhere-else default — every state has a law, so you always have leverage.
4Highest-leverage move for Californians: cite Civ. Code § 1798.150. It is the only consumer breach statute in the country with built-in statutory damages of $100–$750 per consumer per incident with no proof of actual harm required — which is exactly why companies settle California breach claims. Even quoting it in a demand letter signals you know the company's real exposure.
5Do not wait on the company to fix this for you — place a free credit freeze with all three bureaus (Equifax, Experian, TransUnion) the same week you send this letter. The freeze is the single most effective protection against new-account fraud, it is free under federal law, and demanding monitoring from the company is a complement to the freeze, not a substitute. The top mistake is treating the company's monitoring offer as enough; monitoring only tells you after fraud happens, while a freeze prevents it.

what the law actually says

Why this letter works.

There is no single comprehensive federal law that tells an ordinary consumer what a breached company owes them. Instead, every U.S. state — plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands — has its own data-breach-notification statute, with Alabama becoming the last state to enact one in 2018 (Alabama Data Breach Notification Act of 2018, Ala. Code § 8-38-1 et seq.). These laws share a common spine: a business that owns or licenses computerized personal information must, after discovering a breach, notify each affected resident; it must do so without unreasonable delay (and, increasingly, within a hard deadline); and the notice must contain specified contents so the consumer can protect themselves. The laws diverge on three things that decide how much leverage you have: the deadline, the required contents, and whether the company must affirmatively pay for credit monitoring. Because the protections run to the resident, you apply the law of the state where you live, regardless of where the company is based.

California is the doctrinal anchor and the highest-leverage jurisdiction. The notification duty lives in Cal. Civ. Code § 1798.82, which was significantly amended by SB 446 effective January 1, 2026: it now requires disclosure of a breach within 30 calendar days of discovery (replacing the older "most expedient time possible" standard), and § 1798.82(d)(2) enumerates exactly what the notice must contain — the reporting business's name and contact information, the types of personal information breached, the date or estimated date range of the breach, a general description of the incident, and, where an SSN or driver's license / California ID number was exposed, the toll-free numbers and addresses of the major credit reporting agencies. Critically, § 1798.82(d)(2)(G) requires a business that "was the source of the breach" to include "an offer to provide appropriate identity theft prevention and mitigation services ... at no cost to the affected individual for not less than 12 months" when an SSN or driver's license / ID number was exposed. (Note the parallel statute for government agencies, Cal. Civ. Code § 1798.29, imposes the notice duty but does NOT contain that credit-monitoring offer — that obligation is unique to the business statute.) Layered on top, the CCPA's private right of action, Cal. Civ. Code § 1798.150, lets a consumer whose nonencrypted, nonredacted personal information is breached "as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices" recover statutory damages of "not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater." That no-actual-harm-required damages floor is what makes California breach claims settle.

Four states force the company to pay for monitoring when an SSN is exposed, and the period varies. Massachusetts, M.G.L. c. 93H § 3A(a), requires the breached entity to "contract with a third party to offer ... credit monitoring services at no cost ... for a period of not less than 18 months" — and 42 months if the breaching entity is itself a consumer reporting agency — and § 3A(b) bars conditioning that offer on the consumer waiving a private right of action. Connecticut, Conn. Gen. Stat. § 36a-701b, requires "appropriate identity theft prevention services and, if applicable, identity theft mitigation services ... at no cost ... for a period of not less than two years" (24 months) for breaches involving an SSN or taxpayer ID, and caps notice at 60 days. Delaware, 6 Del. C. § 12B-102, requires an offer of "credit monitoring services at no cost ... for a period of 1 year" for SSN breaches, also with a 60-day notice cap. And California's § 1798.82(d)(2)(G), above, sets a 12-month floor. If you live in one of these four and your SSN was in the breach, the company owes you this protection by statute — not as a courtesy.

Everywhere else, you still get a detailed notice and, often, an enforceable reasonable-security duty — but you usually have to ask for monitoring rather than demand it. New York's SHIELD Act, N.Y. Gen. Bus. Law § 899-aa(7), requires the notice to include the company's contact information, "the telephone numbers and websites of the relevant state and federal agencies that provide information regarding security breach response and identity theft prevention," and a description of the categories of information acquired; companion § 899-bb requires businesses to maintain "reasonable safeguards." Illinois's Personal Information Protection Act, 815 ILCS 530/10, requires notice "in the most expedient time possible and without unreasonable delay" with the consumer reporting agencies' and the FTC's contact details and "a statement that the individual can obtain information from these sources about fraud alerts and security freezes," while 815 ILCS 530/45 requires "reasonable security measures." Florida (Fla. Stat. § 501.171(4)) imposes a 30-day notice deadline and Texas (Tex. Bus. & Com. Code § 521.053(b)) a 60-day deadline, both with Attorney General notification for larger breaches (500+ residents in Florida, 250+ in Texas). For any state not specifically named here, the default holds: there is a statute, it requires notice with protective contents, and your state Attorney General's office is the enforcement channel.

state variations

What changes by state.

Not a comprehensive list. Confirm your state’s current statute before sending.

California (Tier A + private right of action): Cal. Civ. Code § 1798.82 (amended eff. Jan. 1, 2026): 30-day notice deadline + enumerated contents in § 1798.82(d)(2). § 1798.82(d)(2)(G): if the business was the source of the breach, free identity-theft prevention/mitigation services for not less than 12 months when SSN/driver's license/CA ID was exposed. § 1798.150: private right of action, statutory damages $100–$750 per consumer per incident, for breaches caused by failure to maintain reasonable security. (Agency statute § 1798.29 imposes notice but no monitoring offer.)
Connecticut (Tier A): Conn. Gen. Stat. § 36a-701b. Notice without unreasonable delay, not later than 60 days. § 36a-701b(b)(2)(B): for SSN or taxpayer-ID breaches, appropriate identity-theft prevention (and, if applicable, mitigation) services at no cost for not less than two years (24 months). Strengthened by P.A. 18-90, eff. Oct. 1, 2018.
Delaware (Tier A): 6 Del. C. § 12B-102. Notice not later than 60 days (§ 12B-102(c)). § 12B-102(e): for breaches including an SSN, offer credit monitoring at no cost for 1 year. Enacted by HB 180 (81 Del. Laws c. 129), eff. Apr. 14, 2018.
Massachusetts (Tier A): M.G.L. c. 93H § 3 (notice "as soon as practicable and without unreasonable delay"). § 3A(a): for SSN breaches, contract to offer free credit monitoring for not less than 18 months (42 months if the breaching entity is a consumer reporting agency); § 3A(b) bars conditioning the offer on waiver of claims. 201 CMR 17.00 requires a written information security program.
New York (Tier B): SHIELD Act. N.Y. Gen. Bus. Law § 899-aa: notice in the most expedient time possible and without unreasonable delay; § 899-aa(7) requires contents including agency phone numbers/websites for breach response and identity-theft protection, plus categories of information acquired. § 899-bb requires reasonable safeguards. No statutory free-monitoring mandate.
Illinois (Tier B): Personal Information Protection Act. 815 ILCS 530/10: notice in the most expedient time possible and without unreasonable delay, with consumer-reporting-agency and FTC contact info and a statement on fraud alerts and security freezes. 815 ILCS 530/45: reasonable security measures required. (Amended by P.A. 99-503, eff. Jan. 1, 2017.)
Florida (Tier B): Fla. Stat. § 501.171 (Florida Information Protection Act). Individual notice as expeditiously as practicable and without unreasonable delay, no later than 30 days (§ 501.171(4)(a)). Attorney General notice for breaches affecting 500+ Florida residents (§ 501.171(3)(a)).
Texas (Tier B): Tex. Bus. & Com. Code § 521.053 (Identity Theft Enforcement and Protection Act). Notice without unreasonable delay, not later than the 60th day after determination (§ 521.053(b)); AG notification for breaches involving 250+ Texas residents (§ 521.053(i)). 60-day deadline + AG rule added by HB 3746, eff. Sep. 1, 2021.
All other states (default): Every U.S. state plus D.C., Puerto Rico, Guam, and the U.S. Virgin Islands has a breach-notification statute (Alabama was last, Ala. Code § 8-38-1 et seq., 2018). All require notice to affected residents without unreasonable delay with protective contents; enforcement runs through your state Attorney General. Request free credit monitoring as the standard remedy for an SSN exposure even where it is not separately mandated.

if this doesn’t work

Your next move.

If the company stonewalls, escalate on three tracks at once. First, file a complaint with your state Attorney General's Consumer Protection Division — breach statutes are AG-enforced, and many breaches already trigger mandatory AG notification (500+ residents in Florida, 250+ in Texas), so your complaint lands where the company is already on the regulator's radar. File in parallel with the FTC at reportfraud.ftc.gov and use IdentityTheft.gov to generate a recovery plan and FTC Identity Theft Report. Second, if you are a California resident, the CCPA private right of action (Civ. Code § 1798.150) is genuinely viable: statutory damages of $100–$750 per consumer per incident with no proof of actual harm, which is why plaintiffs' firms file these as class actions — you can join one or, after giving the business the 30-day cure notice the statute requires, pursue your own claim. Third, in mandatory-monitoring states (CA, CT, DE, MA), a company's refusal to provide the statutorily-required free monitoring is itself a violation you can hand to the AG. Watch the clock: deadlines to sue vary by state (commonly 2–4 years), but the practical urgency is fraud — freeze your credit now, because the statute of limitations on the breach claim is far less important than stopping a new account from being opened in your name this month.

questions people ask

FAQ.

The company only sent a vague "we take your privacy seriously" email. Is that a legal breach notice?

Probably not. State breach-notification laws require specific contents — the categories of personal information exposed, the date or date range of the breach, the company's contact information, and resources for protecting against identity theft (and in some states, agency contact details). A generic reassurance email that omits these does not satisfy the statute. Your letter demands the complete notice with every element your state's law lists, citing the specific subdivision (e.g., Cal. Civ. Code § 1798.82(d)(2), 815 ILCS 530/10, or N.Y. Gen. Bus. Law § 899-aa(7)).

Does the company have to give me free credit monitoring?

It depends on your state and whether your Social Security number was exposed. Four states mandate it for SSN breaches: California (12 months, Civ. Code § 1798.82(d)(2)(G), when the company was the source of the breach), Massachusetts (18 months, c. 93H § 3A, or 42 months if the company is a credit bureau), Connecticut (24 months / two years, § 36a-701b), and Delaware (1 year, 6 Del. C. § 12B-102(e)). In other states it is not separately mandated, but demand it anyway — many companies provide it voluntarily, and your request creates a record if you later need to show you were harmed.

Should I file a complaint with the state Attorney General or just send this letter?

Do both, but the letter first. Breach-notification laws are enforced by state Attorneys General, not by a private agency you complain to, so the AG complaint is the real escalation lever. But a documented certified-letter demand that goes unanswered makes your AG complaint far stronger — it shows you gave the company a chance to comply. For larger breaches the company was already required to notify the AG (500+ residents in Florida, 250+ in Texas), so your complaint connects to an existing file.

I live in California. Can I actually sue and get money?

If the breach exposed your nonencrypted, nonredacted personal information and resulted from the company's failure to maintain reasonable security, yes — Cal. Civ. Code § 1798.150 provides statutory damages of $100 to $750 per consumer per incident, or your actual damages if greater, with no requirement to prove you lost money. The statute requires giving the business written notice and a 30-day opportunity to cure before seeking statutory damages for the violation, which is part of why a demand letter matters. Most of these are filed as class actions, but the individual leverage is real and is why companies settle.

What should I do RIGHT NOW, before the company even responds?

Place a free security freeze on your credit files with all three bureaus (Equifax, Experian, TransUnion) — it is free under federal law and is the single most effective protection against someone opening a new account in your name. Then set fraud alerts, change passwords on the affected and any reused accounts, and start a folder with the breach notice, dates, and copies of everything. The credit freeze prevents fraud; the company's monitoring only alerts you after the fact, so the freeze comes first regardless of what the company offers.

Nervous about sending it yourself?

we’ll read it over with you.

Email the situation and a volunteer attorney will respond. No commitment, no invoice, no judgment — just an honest second pair of eyes from someone who actually understands the law.

info@imfrustrated.org

More consumer letters All letters Free tools Home