NOTICE OF DATA BREACH Customer Name Street Address City, State Zip Reference Number 2020-3523 Date Impacted Principal Owner first and last name: Over the last several weeks, our company has worked closely with the U.S. Treasury and Small Business Administration (SBA) to process more than 305,000 Paycheck Protection Program (PPP) loan applications with the SBA, providing more than $25 billion in financial relief for small businesses in need. We are writing to advise you that in preparation for submission of loan applications to the SBA, Bank of America (the Bank) uploaded some clients’ loan applications to a limited access, controlled SBA test application platform. This platform was designed to allow authorized lenders to test the process for submitting PPP applications to the SBA prior to the actual submission process. During testing, we discovered information included in your application may have been visible for a limited time period to a limited number of other lenders and their vendors authorized by the SBA to participate in the program. There is no indication that your information was viewed or misused by these lenders or their vendors. And your information was not visible to other business clients applying for loans, or to the public, at any time. This did not affect the actual submission of PPP loan applications to the SBA. Below we provide more detailed information for you, and respond to questions you may have. WHAT HAPPENED: • • • • • • Authorized lenders are required to submit loan applications to the SBA through the SBA’s loan application platform. On April 22, the Bank uploaded some clients’ loan application information to the SBA’s test application platform, which authorized lenders and their vendors also use to test their loan submission processes. We quickly recognized other authorized lenders and their vendors may have had the ability to view the applicant information we uploaded. It is critical to note that there is no indication that any of the participating lenders or their vendors viewed or misused your information. The Bank requested and confirmed the removal of the information from the SBA’s test website the same day. There was no impact to the submission of your loan application to the SBA. WHAT INFORMATION WAS INVOLVED: The information that may have been briefly visible to limited authorized lenders and their vendors included business contact and business information about the company of which you are a principal owner, such as business address and tax identification number (TIN). As a principal owner, personal information about you, such as your name, address, Social Security Number, phone number, email address and citizenship may have been involved. WHAT WE ARE DOING: Keeping your information confidential is one of our most important responsibilities. We are notifying you so we may work together to protect your personal and business information. We have taken the following precautions: • • We conducted our own internal investigations to protect and minimize any financial impact to you. As an additional measure of protection, Bank of America has arranged for a complimentary twoyear membership in an identity theft protection service provided by Experian IdentityWorksSM. You will not be billed for this service. This product provides you with identity detection which includes daily monitoring of your credit reports from the three national credit reporting companies (Experian, Equifax® and TransUnion®), internet surveillance, and resolution of identity theft. This service will expire at the conclusion of the complimentary period and will not automatically renew. Any renewal of service elected by the customer is paid for by the customer and done directly through Experian IdentityWorksSM. Bank of America has no involvement with respect to any offers, products or services from or through Experian IdentityWorksSM that the customer may choose to enroll in beyond the complimentary membership. To learn more about the complimentary membership and enroll, go to https://www.experianidworks.com/bac/ enter your activation code and complete the secure online form. You will need to enter the activation code provided below to complete enrollment. If you prefer to enroll by phone, please call Experian IdentityWorksSM at 866.617.1920. Experian IdentityWorksSM Web Site: https://www.experianidworks.com/bac/ Your Activation Code: Activation Code You Must Enroll By: Expiration Date Engagement number: WHAT YOU CAN DO: We recommend you take the following additional precautions to protect your personal and account information: • • • Please promptly review your credit reports and account statements over the next 12 to 24 months and notify us of any unauthorized transactions or incidents of suspected identity theft related to your accounts with the Bank (refer to tips on back of this letter). Enroll in the Credit Monitoring Service offered above. Refer to the enclosed “Important tips on how to protect personal information” for additional precautions you can take. FOR MORE INFORMATION: If you have any questions regarding this incident or your accounts, please contact the Bank’s dedicated Privacy Response Unit toll-free at 1.800.252.2867. We are here to help and assist you during this process. Sincerely, Privacy Response Unit (PRU) ENC: Important tips on how to protect personal information Important tips on how to protect personal information We recommend that you take the following precautions to guard against the disclosure and unauthorized use of your account and personal information: • • • • • • • • • • Review your monthly account statements thoroughly and report any suspicious activity to us. Report lost or stolen checks, credit or debit cards immediately. Never provide personal information over the phone or online unless you have initiated the call and know with whom you are speaking. Do not print your driver’s license or Social Security number on checks. Safeguard ATM, credit and debit cards. Memorize PINs (personal identification numbers) and refrain from writing PINs, Social Security numbers or credit card numbers where they could be found. Store cancelled checks, new checks and account statements in a safe place. Reduce the amount of paper you receive containing personal information. Sign up for online statements, direct deposit and pay bills online. Tear up or shred any pre-approved credit offers to which you do not respond. As a general best practice, we recommended that you change (and regularly update) existing passwords and PIN numbers and monitor all your account(s) including any additional account(s) you may have with other financial institutions to prevent or detect the occurrence of any unauthorized/fraudulent activity. Review your credit report at least once every year. Make sure all information is up to date and accurate, and have information relating to fraudulent transactions deleted. For a free copy of your credit bureau report, contact annualcreditreport.com or call 1.877.322.8228. For more information about guarding your account and personal information, as well as our online practices, please visit our Web site www.bankofamerica.com/privacy. Reporting Fraud If you think you have been a victim of identity theft or fraud, contact one of the three major credit bureaus to place a fraud alert on your account. A fraud alert will prevent new credit accounts from being opened without your permission. Equifax 1.800.525.6285 P.O. Box 740241 Atlanta, GA 30374-0241 www.equifax.com Experian 1.888.397.3742 P.O. Box 9532 Allen, TX 75013 www.experian.com TransUnion 1.800.680.7289 P.O. Box 6790 Fullerton, CA 92834-6790 www.transunion.com Also contact the Federal Trade Commission (FTC) to report any incidents of identity theft or to receive additional guidance on steps you can take to protect against identity theft. Visit the FTC ID Theft Web site at http://www.consumer.gov/idtheft/ or call 1.877.438.4338. Your Bank of America Accounts Report fraudulent activity on your Bank of America accounts or within Online Banking: 1.800.432.1000.