National Math and Science Initiative (“NMSI”) - Notification of data incident
EXHIBIT 1
The investigation into this matter is ongoing, and this notice may be supplemented with any new
significant facts learned subsequent to its submission. By providing this notice, National Math
and Science Initiative (“NMSI”), does not waive any rights or defenses regarding the applicability
of Maine law, the applicability of the Maine data event notification statute, or personal jurisdiction.
Nature of the Data Event
On or about October 13, 2021, NMSI discovered unusual activity in its network through its
antivirus software. NMSI moved quickly to secure the network, then began an investigation to
identify what happened and confirm what information may have been affected. Through the
investigation, NMSI determined that between September 23, 2021 and October 18, 2021, an
unauthorized actor may have had access to certain systems. Although there is no evidence of any
actual or attempted misuse of the information stored on the impacted systems, NMSI is providing
notification out of an abundance of caution because they determined on January 6, 2022 that certain
personal information was present on these systems at the time of the incident, and may have been
accessed or acquired.
The information that could have been subject to unauthorized access includes name, address, and
Social Security number.
Notice to Maine Residents
On or about February 7, 2022, NMSI provided written notice of this incident to affected
individuals, which includes fourteen (14) Maine residents. Written notice is being provided in
substantially the same form as the letter attached here as Exhibit A.
Other Steps Taken and To Be Taken
Upon discovering the event, NMSI moved quickly to investigate and respond to the incident,
assess the security of NMSI systems, and notify potentially affected individuals. NMSI is also
working to implement additional safeguards and training to its employees.
Additionally, NMSI is providing impacted individuals with guidance on how to better protect
against identity theft and fraud, including advising individuals to report any suspected incidents of
identity theft or fraud to their credit card company and/or bank. NMSI is providing individuals
with information on how to place a fraud alert and security freeze on one's credit file, the contact
details for the national consumer reporting agencies, information on how to obtain a free credit
report, a reminder to remain vigilant for incidents of fraud and identity theft by reviewing account
statements and monitoring free credit reports, and encouragement to contact the Federal Trade
Commission, their state Attorney General, and law enforcement to report attempted or actual
identity theft and fraud. NMSI is also providing written notice of this incident to other state
regulators, as necessary.
EXHIBIT A
AF6331 v.03
NOTICE OF <>
Dear <>:
National Math and Science Initiative (“NMSI”) is a non‑profit that works with schools and other organizations to help improve
student performance. We are writing to notify you of a recent incident that may affect the privacy of some of your information.
Although we have no evidence of actual or attempted misuse of your information as a result of this incident, this letter provides
details of the incident, our response, and resources available to you to help protect your information from possible misuse, should
you feel it is appropriate to do so.
What Happened? On October 13, 2021, NMSI discovered unusual activity in our network through our antivirus software.
We moved quickly to secure the network, then began an investigation to identify what happened and confirm what information
may have been affected. Through our investigation, we determined that between September 23, 2021 and October 18, 2021, an
unauthorized actor may have had access to certain systems. Although we have no evidence of any actual or attempted misuse
of the information stored on the impacted systems, we are providing you with this notification out of an abundance of caution
because we determined on January 6, 2022 that certain information relating to you was present on these systems at the time of
the incident, and may have been accessed or acquired.
What Information Was Involved? Our investigation determined that the personal information accessible on the impacted
systems includes your name and <>. Please note that, to date, we are unaware of any actual or attempted misuse
of your information as a result of this incident.
What We Are Doing. We take this incident and the security of personal information in our care seriously. Upon learning of
this incident, we moved quickly to investigate and respond to this incident, assess the security of relevant NMSI systems, and
notify potentially affected individuals. Our response included resetting relevant account passwords, reviewing the contents of the
potentially accessed files and folders to determine whether they contained personal information, and reviewing internal systems
to identify contact information for purposes of providing notice to potentially affected individuals. We also notified federal law
enforcement. As part of our ongoing commitment to the security of information we are also reviewing and enhancing existing
policies and procedures to reduce the likelihood of a similar future event.
What You Can Do. We encourage you to remain vigilant against incidents of identity theft and fraud, and to review your account
statements for suspicious activity. You may also review the information contained in the attached Steps You Can Take to Help
Protect Personal Information.
For More Information. We understand that you may have questions about this incident that are not addressed in this letter. If
you have additional questions, please call our dedicated assistance line at 855‑604‑1798 between the hours of 8 a.m. and 8 p.m.
Central Time, Monday ‑ Friday. You may also write to NMSI at 8350 North Central Expressway, Suite M‑2200, Dallas TX, 75206.
We sincerely regret any inconvenience or concern this incident may have caused.
Sincerely,
Bernard A. Harris, Jr.
Chief Executive Officer
Return Mail Processing Center
P.O. Box 6336
Portland, OR 97228-6336
<>
<>
<>
<>
<>
<>
<> <>
<>
<><><>
<>
AF6332 v.03
Steps You Can Take to Help Protect Personal Information
Monitor Your Accounts
Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus,
Equifax, Experian, and TransUnion. To order your free credit report, visit www.annualcreditreport.com or call, toll‑free,
1‑877‑322‑8228. You may also directly contact the three major credit reporting bureaus listed below to request a free copy of
your credit report.
Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1‑year
alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required
to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled
to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any
one of the three major credit reporting bureaus listed below.
As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a
credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is
designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be
aware that using a credit freeze to take control over who gets access to the personal and financial information in your credit report
may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new
loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to
place or lift a credit freeze on your credit report. To request a security freeze, you will need to provide the following information:
1. Full name (including middle initial as well as Jr., Sr., II, III, etc.);
2. Social Security number;
3. Date of birth;
4. Addresses for the prior two to five years;
5. Proof of current address, such as a current utility bill or telephone bill;
6. A legible photocopy of a government‑issued identification card (state driver’s license or ID card, etc.); and
7. A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity
theft if you are a victim of identity theft.
Should you wish to place a credit freeze, please contact the three major credit reporting bureaus listed below:
Equifax Experian TransUnion
https://www.equifax.com/personal/
credit‑report‑services/ https://www.experian.com/help/ https://www.transunion.com/credit‑help
888‑298‑0045 1‑888‑397‑3742 833‑395‑6938
Equifax Fraud Alert, P.O. Box 105069
Atlanta, GA 30348‑5069
Experian Fraud Alert,
P.O. Box 9554, Allen, TX 75013
TransUnion Fraud Alert, P.O. Box 2000,
Chester, PA 19016
Equifax Credit Freeze, P.O. Box 105788
Atlanta, GA 30348‑5788
Experian Credit Freeze,
P.O. Box 9554, Allen, TX 75013
TransUnion Credit Freeze,
P.O. Box 160, Woodlyn, PA 19094
Additional Information
You may further educate yourself regarding identity theft, fraud alerts, credit freezes, and the steps you can take to protect
your personal information by contacting the consumer reporting bureaus, the Federal Trade Commission, or your state
Attorney General. The Federal Trade Commission may be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580;
www.identitytheft.gov; 1‑877‑ID‑THEFT (1‑877‑438‑4338); and TTY: 1‑866‑653‑4261. The Federal Trade Commission also
encourages those who discover that their information has been misused to file a complaint with them. You can obtain further
information on how to file such a complaint by way of the contact information listed above. You have the right to file a police
report if you ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity
theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft
should also be reported to law enforcement and your state Attorney General. This notice has not been delayed by law enforcement.
For District of Columbia residents, the District of Columbia Attorney General may be contacted at: 400 6th Street, NW,
Washington, DC 20001; 202‑727‑3400; and [email protected].
For Maryland residents, the Maryland Attorney General may be contacted at: 200 St. Paul Place, 16th Floor, Baltimore, MD
21202; 1‑410‑528‑8662 or 1‑888‑743‑0023; and www.oag.state.md.us.
For New Mexico residents, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information
in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score,
and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer
reporting bureaus must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies
may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to
be provided to employers; you may limit “prescreened” offers of credit and insurance you get based on information in your
AF6333 v.03
credit report; and you may seek damages from violator. You may have additional rights under the Fair Credit Reporting Act
not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to
the Fair Credit Reporting Act. We encourage you to review your rights pursuant to the Fair Credit Reporting Act by visiting
www.consumerfinance.gov/f/201504_cfpb_summary_your‑rights‑under‑fcra.pdf, or by writing Consumer Response Center,
Room 130‑A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.
For New York residents, the New York Attorney General may be contacted at: Office of the Attorney General, The Capitol,
Albany, NY 12224‑0341; 1‑800‑771‑7755; or https://ag.ny.gov/.
For North Carolina residents, the North Carolina Attorney General may be contacted at: 9001 Mail Service Center, Raleigh, NC
27699‑9001; 1‑877‑566‑7226 or 1‑919‑716‑6000; and www.ncdoj.gov.
For Rhode Island residents, the Rhode Island Attorney General may be reached at: 150 South Main Street, Providence, RI 02903;
www.riag.ri.gov; and 1‑401‑274‑4400. Under Rhode Island law, you have the right to obtain any police report filed in regard to
this incident. There are 191 Rhode Island residents impacted by this incident.
The investigation into this matter is ongoing, and this notice may be supplemented with any new
significant facts learned subsequent to its submission. By providing this notice, National Math
and Science Initiative (“NMSI”), does not waive any rights or defenses regarding the applicability
of Maine law, the applicability of the Maine data event notification statute, or personal jurisdiction.
Nature of the Data Event
On or about October 13, 2021, NMSI discovered unusual activity in its network through its
antivirus software. NMSI moved quickly to secure the network, then began an investigation to
identify what happened and confirm what information may have been affected. Through the
investigation, NMSI determined that between September 23, 2021 and October 18, 2021, an
unauthorized actor may have had access to certain systems. Although there is no evidence of any
actual or attempted misuse of the information stored on the impacted systems, NMSI is providing
notification out of an abundance of caution because they determined on January 6, 2022 that certain
personal information was present on these systems at the time of the incident, and may have been
accessed or acquired.
The information that could have been subject to unauthorized access includes name, address, and
Social Security number.
Notice to Maine Residents
On or about February 7, 2022, NMSI provided written notice of this incident to affected
individuals, which includes fourteen (14) Maine residents. Written notice is being provided in
substantially the same form as the letter attached here as Exhibit A.
Other Steps Taken and To Be Taken
Upon discovering the event, NMSI moved quickly to investigate and respond to the incident,
assess the security of NMSI systems, and notify potentially affected individuals. NMSI is also
working to implement additional safeguards and training to its employees.
Additionally, NMSI is providing impacted individuals with guidance on how to better protect
against identity theft and fraud, including advising individuals to report any suspected incidents of
identity theft or fraud to their credit card company and/or bank. NMSI is providing individuals
with information on how to place a fraud alert and security freeze on one's credit file, the contact
details for the national consumer reporting agencies, information on how to obtain a free credit
report, a reminder to remain vigilant for incidents of fraud and identity theft by reviewing account
statements and monitoring free credit reports, and encouragement to contact the Federal Trade
Commission, their state Attorney General, and law enforcement to report attempted or actual
identity theft and fraud. NMSI is also providing written notice of this incident to other state
regulators, as necessary.
EXHIBIT A
AF6331 v.03
NOTICE OF <>
Dear <>:
National Math and Science Initiative (“NMSI”) is a non‑profit that works with schools and other organizations to help improve
student performance. We are writing to notify you of a recent incident that may affect the privacy of some of your information.
Although we have no evidence of actual or attempted misuse of your information as a result of this incident, this letter provides
details of the incident, our response, and resources available to you to help protect your information from possible misuse, should
you feel it is appropriate to do so.
What Happened? On October 13, 2021, NMSI discovered unusual activity in our network through our antivirus software.
We moved quickly to secure the network, then began an investigation to identify what happened and confirm what information
may have been affected. Through our investigation, we determined that between September 23, 2021 and October 18, 2021, an
unauthorized actor may have had access to certain systems. Although we have no evidence of any actual or attempted misuse
of the information stored on the impacted systems, we are providing you with this notification out of an abundance of caution
because we determined on January 6, 2022 that certain information relating to you was present on these systems at the time of
the incident, and may have been accessed or acquired.
What Information Was Involved? Our investigation determined that the personal information accessible on the impacted
systems includes your name and <>. Please note that, to date, we are unaware of any actual or attempted misuse
of your information as a result of this incident.
What We Are Doing. We take this incident and the security of personal information in our care seriously. Upon learning of
this incident, we moved quickly to investigate and respond to this incident, assess the security of relevant NMSI systems, and
notify potentially affected individuals. Our response included resetting relevant account passwords, reviewing the contents of the
potentially accessed files and folders to determine whether they contained personal information, and reviewing internal systems
to identify contact information for purposes of providing notice to potentially affected individuals. We also notified federal law
enforcement. As part of our ongoing commitment to the security of information we are also reviewing and enhancing existing
policies and procedures to reduce the likelihood of a similar future event.
What You Can Do. We encourage you to remain vigilant against incidents of identity theft and fraud, and to review your account
statements for suspicious activity. You may also review the information contained in the attached Steps You Can Take to Help
Protect Personal Information.
For More Information. We understand that you may have questions about this incident that are not addressed in this letter. If
you have additional questions, please call our dedicated assistance line at 855‑604‑1798 between the hours of 8 a.m. and 8 p.m.
Central Time, Monday ‑ Friday. You may also write to NMSI at 8350 North Central Expressway, Suite M‑2200, Dallas TX, 75206.
We sincerely regret any inconvenience or concern this incident may have caused.
Sincerely,
Bernard A. Harris, Jr.
Chief Executive Officer
Return Mail Processing Center
P.O. Box 6336
Portland, OR 97228-6336
<>
<>
<>
<>
<>
<>
<> <>
<>
<><><>
<>
AF6332 v.03
Steps You Can Take to Help Protect Personal Information
Monitor Your Accounts
Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus,
Equifax, Experian, and TransUnion. To order your free credit report, visit www.annualcreditreport.com or call, toll‑free,
1‑877‑322‑8228. You may also directly contact the three major credit reporting bureaus listed below to request a free copy of
your credit report.
Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1‑year
alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required
to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled
to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any
one of the three major credit reporting bureaus listed below.
As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a
credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is
designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be
aware that using a credit freeze to take control over who gets access to the personal and financial information in your credit report
may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new
loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to
place or lift a credit freeze on your credit report. To request a security freeze, you will need to provide the following information:
1. Full name (including middle initial as well as Jr., Sr., II, III, etc.);
2. Social Security number;
3. Date of birth;
4. Addresses for the prior two to five years;
5. Proof of current address, such as a current utility bill or telephone bill;
6. A legible photocopy of a government‑issued identification card (state driver’s license or ID card, etc.); and
7. A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity
theft if you are a victim of identity theft.
Should you wish to place a credit freeze, please contact the three major credit reporting bureaus listed below:
Equifax Experian TransUnion
https://www.equifax.com/personal/
credit‑report‑services/ https://www.experian.com/help/ https://www.transunion.com/credit‑help
888‑298‑0045 1‑888‑397‑3742 833‑395‑6938
Equifax Fraud Alert, P.O. Box 105069
Atlanta, GA 30348‑5069
Experian Fraud Alert,
P.O. Box 9554, Allen, TX 75013
TransUnion Fraud Alert, P.O. Box 2000,
Chester, PA 19016
Equifax Credit Freeze, P.O. Box 105788
Atlanta, GA 30348‑5788
Experian Credit Freeze,
P.O. Box 9554, Allen, TX 75013
TransUnion Credit Freeze,
P.O. Box 160, Woodlyn, PA 19094
Additional Information
You may further educate yourself regarding identity theft, fraud alerts, credit freezes, and the steps you can take to protect
your personal information by contacting the consumer reporting bureaus, the Federal Trade Commission, or your state
Attorney General. The Federal Trade Commission may be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580;
www.identitytheft.gov; 1‑877‑ID‑THEFT (1‑877‑438‑4338); and TTY: 1‑866‑653‑4261. The Federal Trade Commission also
encourages those who discover that their information has been misused to file a complaint with them. You can obtain further
information on how to file such a complaint by way of the contact information listed above. You have the right to file a police
report if you ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity
theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft
should also be reported to law enforcement and your state Attorney General. This notice has not been delayed by law enforcement.
For District of Columbia residents, the District of Columbia Attorney General may be contacted at: 400 6th Street, NW,
Washington, DC 20001; 202‑727‑3400; and [email protected].
For Maryland residents, the Maryland Attorney General may be contacted at: 200 St. Paul Place, 16th Floor, Baltimore, MD
21202; 1‑410‑528‑8662 or 1‑888‑743‑0023; and www.oag.state.md.us.
For New Mexico residents, you have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information
in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score,
and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act, the consumer
reporting bureaus must correct or delete inaccurate, incomplete, or unverifiable information; consumer reporting agencies
may not report outdated negative information; access to your file is limited; you must give your consent for credit reports to
be provided to employers; you may limit “prescreened” offers of credit and insurance you get based on information in your
AF6333 v.03
credit report; and you may seek damages from violator. You may have additional rights under the Fair Credit Reporting Act
not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to
the Fair Credit Reporting Act. We encourage you to review your rights pursuant to the Fair Credit Reporting Act by visiting
www.consumerfinance.gov/f/201504_cfpb_summary_your‑rights‑under‑fcra.pdf, or by writing Consumer Response Center,
Room 130‑A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.
For New York residents, the New York Attorney General may be contacted at: Office of the Attorney General, The Capitol,
Albany, NY 12224‑0341; 1‑800‑771‑7755; or https://ag.ny.gov/.
For North Carolina residents, the North Carolina Attorney General may be contacted at: 9001 Mail Service Center, Raleigh, NC
27699‑9001; 1‑877‑566‑7226 or 1‑919‑716‑6000; and www.ncdoj.gov.
For Rhode Island residents, the Rhode Island Attorney General may be reached at: 150 South Main Street, Providence, RI 02903;
www.riag.ri.gov; and 1‑401‑274‑4400. Under Rhode Island law, you have the right to obtain any police report filed in regard to
this incident. There are 191 Rhode Island residents impacted by this incident.
