Jeffrey J. Boogay 426 W.

Lancaster Avenue, Suite 200

Office: (267) 930-4784 Devon, PA 19333
Fax: (267) 930-4771
Email: [email protected]

October 10, 2022

VIA E-MAIL

Office of the Attorney General of Iowa

Consumer Protection Division
Security Breach Notifications
1305 E. Walnut Street
Des Moines, Iowa 50319-0106
E-mail: [email protected]

Re: Notice of Data Event

Dear Sir or Madam:

We represent Linn-Mar Community School District (“Linn-Mar”) located at 2999 N. Tenth Street,
Marion, IA 52302, and are writing to notify your office of an incident that may affect the security
of certain personal information relating to approximately five thousand six hundred and ninety-
eight (5,698) Iowa residents. This notice will be supplemented with any new significant facts
learned subsequent to its submission. By providing this notice, Linn-Mar does not waive any
rights or defenses regarding the applicability of Iowa law, the applicability of the Iowa data event
notification statute, or personal jurisdiction.

Nature of the Data Event

On or around July 31, 2022, Linn-Mar identified unusual activity on certain systems in the
environment. Linn-Mar quickly disconnected these systems and commenced an extensive
investigation to determine the nature and scope of the activity. Linn-Mar also promptly reported
this event to federal law enforcement. Through the investigation, Linn-Mar determined that an
unknown actor gained access to certain systems and conducted activity on those systems between
July 26, 2022 and August 1, 2022. While Linn-Mar has no evidence of actual or attempted misuse
of any information, Linn-Mar could not rule out the possibility of access to current and former
employee data present in the affected systems. Therefore, Linn-Mar undertook a lengthy and labor-
intensive process to identify what information was contained therein and to whom it related. On
or around September 20, 2022, Linn-Mar completed this review. No student data was impacted as
a result of this event, as student data is stored on a third-party system that was not affected. The

Mullen.law
Office of the Attorney General
October 10, 2022
Page 2

information that could have been subject to unauthorized access includes name, and Social
Security number.

Notice to Iowa Residents

On or about October 7, 2022, Linn-Mar provided written notice of this incident to five thousand
six hundred and ninety-eight (5,698) Iowa residents. Written notice is being provided in
substantially the same form as the letter attached here as Exhibit A.

Other Steps Taken and To Be Taken

Upon discovering the event, Linn-Mar moved quickly to investigate and respond to the incident,
assess the security of Linn-Mar systems, and identify potentially affected individuals. Further,
Linn-Mar notified federal law enforcement regarding the event. Linn-Mar is also working to
implement additional safeguards and training to its employees. Linn-Mar is providing access to
credit monitoring services for 12 months through IDX, to individuals whose personal information
was potentially affected by this incident, at no cost to these individuals.

Additionally, Linn-Mar is providing impacted individuals with guidance on how to better protect
against identity theft and fraud. Linn-Mar is providing individuals with information on how to
place a fraud alert and security freeze on one’s credit file, information on protecting against tax
fraud, the contact details for the national consumer reporting agencies, information on how to
obtain a free credit report, a reminder to remain vigilant for incidents of fraud and identity theft by
reviewing account statements and monitoring free credit reports, and encouragement to contact the
Federal Trade Commission, their state Attorney General, and law enforcement to report attempted
or actual identity theft and fraud.

Contact Information

Should you have any questions regarding this notification or other aspects of the data security
event, please contact us at (267) 930-4784.

Very truly yours,

Jeffrey J. Boogay of
MULLEN COUGHLIN LLC

JJB/ams
Enclosure
EXHIBIT A
RecordIndicator000150

P.O. Box 989728 To Enroll, Please Call:

West Sacramento, CA 95798-9728 1-833-875-0802
Or Visit:
https://response.idx.us/linnmark12
Enrollment Code: <<ENROLLMENT>>

<<FIRST NAME>> <<LAST NAME>>

<<ADDRESS1>>
<<ADDRESS2>>
<<CITY>>, <<STATE>> <<ZIP>>
<<Country>>

October 10, 2022

RE: NOTICE OF <<Variable Text 1>>

Dear <<FIRST NAME>> <<LAST NAME>>:

Linn-Mar Community School District (“Linn-Mar”) writes to inform you of a recent event that may impact the privacy
of some of your information. We are unaware of any attempted or actual misuse of your information at this time, but we
are providing you with this letter as a precaution to inform you of the event, our response, and steps you may take to
protect your information, should you feel it is necessary to do so.

What Happened? On or around July 31, 2022, we identified unusual activity on certain systems in the environment.
We quickly disconnected these systems and commenced an extensive investigation to determine the nature and scope of
the activity. We also promptly reported this event to federal law enforcement. Through the investigation, we determined
that an unknown actor gained access to certain systems and conducted activity on those systems between July 26, 2022
and August 1, 2022. While Linn-Mar has no evidence of actual or attempted misuse of any employee or employee
dependent information, it could not rule out the possibility of access to current and former employee data present in the
affected systems. Therefore, Linn-Mar undertook a lengthy and labor-intensive process to identify what information was
contained therein and to whom it related. On or around September 20, 2022, we completed our review. Please note that
no student data was impacted as a result of this event, as student data is stored on a third-party system.

What Information Was Involved? Our review determined that the following information was present in the affected
systems and could have been accessed by the unknown actor: your name, <<Variable Text 2>>. We have no evidence
that any information was subject to actual or attempted misuse.

What We Are Doing. The confidentiality, privacy, and security of information within our care is among Linn-Mar’s
highest priorities. Upon learning of the event, we took immediate steps to secure our environment and investigate the
activity. We commenced an investigation that included working with third-party forensic specialists to understand the
nature and scope of the event. We also notified federal law enforcement about this event and are cooperating with their
investigation. As part of our ongoing commitment to the security of information, we are also reviewing and improving
existing policies and procedures.

Although we do not have any evidence of identity theft or fraud as a result of this incident, we are offering
complimentary credit monitoring and identity restoration services through IDX for <<12/24 months>> as an added
precaution. If you wish to avail yourself of these services, you will need to enroll using the instruction enclosed with this
letter, as we are unable to activate them on your behalf.
What You Can Do. We encourage you to remain vigilant against incidents of identity theft and fraud by reviewing
your account statements and monitoring your free credit reports for suspicious activity and to detect errors over the next
12 to 24 months. We also encourage you to review the enclosed Steps You Can Take to Help Protect Personal
Information, which contains information on what you can do to safeguard against possible misuse of your information.
You may also enroll in the complimentary credit monitoring services we are offering to you.

For More Information. If you have additional questions, you may call our dedicated assistance line at 1-833-875-0802,
available Monday through Friday, from 8:00 a.m. to 8:00 p.m. Central Time (excluding U.S. holidays). You may also
write to Linn-Mar at 2999 N. Tenth Street, Marion, IA 52302.

Sincerely,

Shannon Bisgard
Superintendent
Linn-Mar Community School District
 Steps You Can Take to Help Protect Personal Information

Enroll in Credit Monitoring

1. Website and Enrollment. Go to https://response.idx.us/linnmark12 and follow the instructions for enrollment using
your Enrollment Code provided at the top of the letter. Please note the deadline for enrollment is January 10, 2023.

2. Activate the credit monitoring provided as part of your IDX identity protection membership. The monitoring included
in the membership must be activated to be effective. Note: You must have established credit and access to a computer
and the internet to use this service. If you need assistance, IDX will be able to assist you.

3. Telephone. Contact IDX at 1-833-875-0802 to gain additional information about this event and speak with
knowledgeable representatives about the appropriate steps to take to protect your credit identity.

Monitor Your Accounts

Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting
bureaus, Equifax, Experian, and TransUnion. To order your free credit report, visit www.annualcreditreport.com or call,
toll-free, 1-877-322-8228. You may also directly contact the three major credit reporting bureaus listed below to request
a free copy of your credit report.

Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a
1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a
business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of
identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to
place a fraud alert, please contact any one of the three major credit reporting bureaus listed below.

As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will
prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization.
The credit freeze is designed to prevent credit, loans, and services from being approved in your name without your
consent. However, you should be aware that using a credit freeze to take control over who gets access to the personal
and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any
subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the
extension of credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report.
To request a security freeze, you will need to provide the following information:

1. Full name (including middle initial as well as Jr., Sr., II, III, etc.);
2. Social Security number;
3. Date of birth;
4. Addresses for the prior two to five years;
5. Proof of current address, such as a current utility bill or telephone bill;
6. A legible photocopy of a government-issued identification card (state driver’s license or ID card, etc.); and
7. A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning
identity theft if you are a victim of identity theft.

Should you wish to place a credit freeze, please contact the three major credit reporting bureaus listed below:

Equifax Experian TransUnion

https://www.equifax.com/personal/ https://www.experian.com/help/ https://www.transunion.com/
credit-report-services/ credit-help
888-298-0045 1-888-397-3742 833-395-6938
Equifax Fraud Alert, P.O. Box 105069 Experian Fraud Alert, P.O. Box TransUnion Fraud Alert, P.O. Box
Atlanta, GA 30348-5069 9554, Allen, TX 75013 2000, Chester, PA 19016
Equifax Credit Freeze, P.O. Box 105788 Experian Credit Freeze, P.O. Box TransUnion Credit Freeze, P.O.
Atlanta, GA 30348-5788 9554, Allen, TX 75013 Box 160, Woodlyn, PA 19094
Additional Information

You may further educate yourself regarding identity theft, fraud alerts, credit freezes, and the steps you can take to
protect your personal information by contacting the consumer reporting bureaus, the Federal Trade Commission, or your
state Attorney General. The Federal Trade Commission may be reached at: 600 Pennsylvania Avenue NW,
Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. The
Federal Trade Commission also encourages those who discover that their information has been misused to file a
complaint with them. You can obtain further information on how to file such a complaint by way of the contact
information listed above. You have the right to file a police report if you ever experience identity theft or fraud. Please
note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that
you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and
your state Attorney General. This notice has not been delayed by law enforcement.

For District of Columbia residents, the District of Columbia Attorney General may be contacted at: 400 6th Street, NW,
Washington, DC 20001; 202-727-3400; and oag.dc.gov.

For Maryland residents, the Maryland Attorney General may be contacted at: 200 St. Paul Place, 16th Floor, Baltimore,
MD 21202; 1-410-528-8662 or 1-888-743-0023; and www.oag.state.md.us.

For New Mexico residents, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if
information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for
your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit
Reporting Act, the consumer reporting bureaus must correct or delete inaccurate, incomplete, or unverifiable information;
consumer reporting agencies may not report outdated negative information; access to your file is limited; you must give
your consent for credit reports to be provided to employers; you may limit “prescreened” offers of credit and insurance
you get based on information in your credit report; and you may seek damages from violator. You may have additional
rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active duty military personnel
have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage you to review your rights
pursuant to the Fair Credit Reporting Act by visiting www.consumerfinance.gov/f/201504_cfpb_summary_your-
rights-under-fcra.pdf, or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600
Pennsylvania Ave. N.W., Washington, D.C. 20580.

For New York residents, the New York Attorney General may be contacted at: Office of the Attorney General, The
Capitol, Albany, NY 12224-0341; 1-800-771-7755; or https://ag.ny.gov/.

For North Carolina residents, the North Carolina Attorney General may be contacted at: 9001 Mail Service Center,
Raleigh, NC 27699-9001; 1-877-566-7226 or 1-919-716-6000; and www.ncdoj.gov.