Fillable Template

Demand Letter

Fill every amber field — they turn green when complete. Then print or save as PDF.

Fields completed
0 / 0
← All Documents
Protected.is — Formal Legal Demand CONFIDENTIAL & WITHOUT PREJUDICE
@protected.is



Date of Letter
Sent Via
Certified Mail + Email
Tracking:
To — Legal / Registered Address

Attn: Legal Department / Privacy Officer

Also Sent By Email To
Re
FORMAL DEMAND FOR BREACH OF COMMUNICATIONS & DATA LIABILITY AGREEMENT AND POLICY — Security Incident Involving — Demand for $5,000 Liquidated Damages Plus Full Remediation Costs
Section 1 of 7

Introduction & Parties

This letter constitutes a formal pre-litigation demand pursuant to the Communications & Data Liability Agreement and Policy (the "Agreement"), publicly available at protected.is/policy/, and applicable law.

The undersigned ("Claimant") is the authorized operator of the @protected.is domain and the owner of the email address (the "Protected Address").

You, ("Respondent"), are the entity to whom the Protected Address was exclusively assigned and whose systems, infrastructure, or practices are responsible for or materially contributed to the Security Incident described herein.

Section 2 of 7

Basis for Agreement & Respondent's Acceptance

The Agreement was accepted by the Respondent through one or more of the following:

  1. The Claimant registered an account with the Respondent using the Protected Address on or around , thereby providing the Protected Address as a valid credential which the Respondent accepted and stored — constituting acceptance under Section 4B.1 of the Agreement;
  2. The Respondent sent one or more communications to the Protected Address following that registration, including but not limited to , constituting further acknowledgment under Section 4B.3;
  3. The Agreement has been publicly accessible at protected.is/policy/ since January 1, 2025, constituting constructive notice to all parties who store or use a @protected.is address.

The Respondent therefore accepted all terms of the Agreement no later than .

Section 3 of 7

Description of the Security Incident

On or around , the Claimant discovered that the Protected Address — assigned exclusively to the Respondent — had been compromised, exposed, or made available to unauthorized parties as a result of a Security Incident attributable to the Respondent's systems or practices.

Specifically:

Evidence of the Security Incident is attached hereto as Exhibit A. .

The Respondent failed to notify the Claimant of this Security Incident within the seventy-two (72) hour window required by Section 3.5 of the Agreement, constituting a separate and independent breach entitling the Claimant to damages irrespective of whether the underlying incident caused demonstrable harm.

Section 4 of 7

Damages Claimed

Pursuant to Section 3.3 of the Agreement, the Claimant demands the following:

ItemBasisAmount (USD)
Liquidated Damages
Minimum compensatory damages per Agreement §3.3(a)		 Pre-agreed; consistent with IBM Cost of Data Breach Report & CCPA §1798.150 $5,000.00
Search & Discovery
Locating where data was published / transmitted		 Agreement §3.4
Data Removal & Suppression
Third-party removal services, delisting		 Agreement §3.4
Legal & Court Costs
Attorney fees, filing fees, process costs		 Agreement §3.4
Internet Publication Damages
Reputational harm, loss of privacy, distress		 Agreement §3.4 — no proof of financial loss required
Monitoring Services (24 mo.)
Identity / data exposure monitoring		 Agreement §3.4
Total Demanded + ongoing costs as incurred $5,000.00 + TBD

Interest accrues from at the applicable statutory rate.

Section 5 of 7

Specific Demands

The Claimant demands that the Respondent take each of the following actions within the timeframes specified:

  1. Within 72 hours of receipt: Confirm in writing to privacy@protected.is that this demand has been received and that the Respondent's legal team is reviewing it. Identify the nature and scope of the Security Incident to the extent known.
  2. Within 14 days: Provide a full written account of the Security Incident — how the Protected Address was exposed, what data was compromised, which third parties received or accessed it, and what remediation steps have been taken or are planned.
  3. Immediately and ongoing: Cease any further distribution, sharing, or use of the Protected Address or any associated data.
  4. Within 30 days: Provide written confirmation that the Protected Address and all associated data has been permanently deleted from the Respondent's systems and any third-party systems to whom it was disclosed, to the extent technically feasible.
  5. Within 30 days: Pay the total damages amount set forth in Section 4, or engage in good-faith settlement discussions as required by Section 8 of the Agreement.
Section 6 of 7

Preservation Notice & Response Deadline

EVIDENCE PRESERVATION NOTICE: The Respondent is hereby instructed to immediately preserve and not destroy, alter, overwrite, or dispose of any records, logs, databases, email communications, access records, third-party data transfer records, or other materials relating to: (a) the Protected Address; (b) any Security Incident affecting the Protected Address; (c) any third parties to whom the Protected Address was disclosed; and (d) any communications regarding this matter. Failure to preserve evidence may constitute spoliation and result in adverse inferences in any subsequent legal proceedings.

RESPONSE DEADLINE — 30 DAYS. The Respondent must respond in writing no later than . Failure to respond or engage in good-faith settlement discussions will result in the Claimant initiating arbitration before the AAA under Illinois law, or proceedings before Icelandic courts under GDPR, at the Claimant's election — without further notice.

⚠ GDPR Addendum

The Security Incident described herein may also constitute a breach of Articles 5, 32, and 33 of the GDPR as implemented under Icelandic law. The Respondent's failure to report this incident to the Claimant within 72 hours as required by Article 33 GDPR constitutes a separate regulatory violation. The Claimant reserves the right to file a complaint with the Icelandic Data Protection Authority (Persónuvernd) and to seek additional remedies under Article 82 GDPR, including compensation for non-material damage.

Section 7 of 7

Governing Law & Reservation of Rights

This demand is made pursuant to the Agreement, governed by Illinois law and, where applicable, Icelandic law and the GDPR. The Claimant reserves all rights and remedies available at law or in equity. Nothing in this letter constitutes a waiver of any right, claim, or remedy. All correspondence must be directed to: privacy@protected.is

Sincerely,


Operator, @protected.is

Date:
Enclosures: Exhibit A — Evidence of Security Incident  |   |  Copy of Agreement (protected.is/policy/)