Sian M. Schafle 1275 Drummers Lane, Suite 302 Office: 267-930-4799 Wayne, PA 19087 Fax: 267-930-4771 Email: sschafle@mullen.law

March 29, 2017

VIA E-MAIL AND U.S. MAIL

Office of the Attorney General Attn: Security Breach Notification 200 St. Paul Place Baltimore, MD 21202 E-Mail: idtheft@oag.state.md.us

Re: Notice of Data Event

Dear Sir or Madam:

We represent CFG Community Bank (“CFG”), 1422 Clarkview Road, Baltimore, MD 21209, and are writing to notify your office of an incident that may affect the security of personal information relating to one hundred fifty-five (155) Maryland residents. The investigation into this event is ongoing, and this notice will be supplemented with any new significant facts learned subsequent to its submission. By providing this notice, CFG does not waive any rights or defenses regarding the applicability of Maryland law or personal jurisdiction.

Nature of the Data Event

On March 17, 2017, CFG was the victim of an email spoofing attack by an individual or individuals pretending to be CFG’s Owner. The fraudulent email requested 2016 CFG employee W-2 information. A list containing names, Social Security numbers, and year to date earnings from 2016 employee W-2 forms was provided before the company discovered that the request was fraudulent. CFG discovered the fraudulent nature of the request on March 18, 2017 and has since been working diligently to investigate and to mitigate the impact of the attack.

Office of the Attorney General March 29, 2017 Page 2

Notice to Maryland Residents

On March 18 and 19, 2017, CFG provided preliminary notice to current employees via email and work-place announcement. A copy of the written notices is attached here as Exhibit A. On March 24 and 27, 2017, CFG provided follow-up preliminary notices to affected current and former CFG employees for whom CFG had email addressed. A copy of these notices is attached here as Exhibit B. On March 29, 2017, CFG will begin providing written notice of this incident to all affected current and former employees, which includes one hundred fifty-five (155) Maryland residents. Written notice will be provided in substantially the same form as the letter attached here as Exhibit C.

Other Steps Taken and To Be Taken

Upon discovering the fraudulent nature of the email, CFG moved quickly to identify those that may be affected, to put in place resources to assist them, and to provide them with notice of this incident. CFG is providing all potentially affected individuals access to two (2) years of credit and identity monitoring services, including identity restoration services, through Equifax, at no cost to the individual.

Additionally, CFG is providing potentially impacted individuals with guidance on how to better protect against identity theft and fraud, including information on how to place a fraud alert and security freeze on one's credit file, information on protecting against tax fraud, the contact details for the national consumer reporting agencies, information on how to obtain a free credit report, a reminder to remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring free credit reports, and encouragement to contact the Federal Trade Commission, their state Attorney General, and law enforcement to report attempted or actual identity theft and fraud. CFG is also providing written notice of this incident to other state regulators as necessary. CFG has provided notice of this incident to the IRS, state tax agencies, local law enforcement, state and federal banking regulators, the FTC, and the FBI.

Contact Information

Should you have any questions regarding this notification or other aspects of the data security event, please contact us at 267-930-4799.

Very truly yours,

Sian Schafle of MULLEN COUGHLIN LLC

EXHIBIT A

From: Casaundra M. Leonard Sent: Saturday, March 18, 2017 12:07 PM To: All < > Subject: Urgent

Good Morning,

As a result of a phishing attack of our systems, certain sensitive, personal information such as names and social security numbers have been compromised. Please be aware and cautious with regards to responding and or sending internal and external emails. We are currently investigating this hack, and have alerted the authorities. As we obtain additional information we will keep everyone updated.

Thanks Casaundra Get Outlook for iOS

CONFIDENTIALITY NOTICE: Email may contain confidential and proprietary information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify us by reply email, by forwarding this to it@capfundinc.com or by telephone at (410)342-3155 and destroy the original transmission and its attachments without reading or saving in any manner.

EXHIBIT B

From: Casaundra M. Leonard [ ] Sent: Friday, March 24, 2017 1:18 PM To: All < > Cc: Alex Bradley < > Subject: Urgent Communication-

Hello-

Please find attached additional details with regards to what to expect via mail to your home address, as well as some additional tips on "Fraud Alerts" on your personal credit reports.

Let me know if you have any additional questions.

Sincerely,

Casaundra Leonard, CDT

Human Resources Director CFG Community Bank 1422 Clarkview Road Baltimore, Maryland 21209

-------------------

CONFIDENTIALITY NOTICE: Email may contain confidential and proprietary information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify us by reply email, by forwarding this to it@capfundinc.com or by telephone at (410)342-3155 and destroy the original transmission and its attachments without reading or saving in any manner.

From: Casaundra M. Leonard [ ] Sent: Monday, March 27, 2017 8:33 AM To: All < > Cc: Alex Bradley < > Subject: Data Incident

Hello-

Please find attached a few “tips” on how to safeguard ourselves, and also a FAQ sheet.

Let me know if you have any additional questions.

Sincerely,

Casaundra Leonard, CDT

Human Resources DirectorCFG Community Bank1422 Clarkview RoadBaltimore, Maryland 21209

Visit us: www.capfundinc.com | www.cfgcommunitybank.comFollow us: Twitter | Facebook

CONFIDENTIALITY NOTICE: Email may contain confidential and proprietary information that is legally privileged. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of any of the information contained in or attached to this transmission is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify us by reply email, by forwarding this to it@capfundinc.com or by telephone at (410)342-

3155 and destroy the original transmission and its attachments without reading or saving in any manner.

Steps You May Take to Protect Your Information

1. My tax filing has been rejected. How can you help me?

If you receive a notice that leads you to believe someone may have used your social security number or Form W-2 fraudulently, please notify the IRS immediately. You may also visit www.irs.gov/Individuals/Identity-Protection and contact the IRS’s Identity Protection Specialized Unit (IPSU) at 800-908-4490. IPSU employees are available to answer questions about identity theft and resolve any tax account issues that resulted from identity theft. You should also fill out a Form 14039 and file it with it with a copy of your return.

2. Can this information be misused to file a fraudulent tax return?

Yes, this information can be used to file a fraudulent tax return. We strongly encourage you to file your tax return as soon as possible if you have not done so already.

3. How can I stop someone from filing my tax return fraudulently?

The IRS does not currently offer any preventative measures to the general public to stop tax related ID theft. The best way to prevent potential issues as you file your own return is to file your tax return as soon as possible, before any issues might arise from an attempted fraudulent filing.

4. How will I know if someone fraudulently filed a tax return?

When someone files a tax return using your Social Security number, you won’t find out until after the second return is filed. The second return could be from you or the person who has stolen your information.

When the IRS receives two different returns with the same Social Security number, the second return filed will be rejected. If you e-filed, you will get a notice that a return has already been filed at the e-filing website. If you paper-filed you’ll get a notice in the mail explaining a return has already been filed with your Social Security number. A specific IRS fraud tax filing affidavit, Form 14039, will need to be completed if you receive notice of a rejected filing.

5. What steps do I need to complete to ensure the Form 14039 was submitted correctly?

After you complete Form 14039, mail it securely using certified mail and a return receipt to the IRS with a copy of your Social Security card and driver’s license. If you don’t have a driver’s license, you can substitute a U.S. Passport, military ID or other government-issued identification card.

If you received an IRS notice concerning the fraudulent return, include a copy of the notice. Mail the form and documents to the address shown in your notice.

If your e-filing was rejected mail the documents and 14039 affidavit to:

Internal Revenue Service P.O. Box 9039

Andover, MA 01810-0939

6. If I already filed my tax return, should I be worried?

You should continue to monitor for any communications from state and federal taxing authorities, and follow any instructions provided in the communication.

If you already filed your tax return and have not received any message from federal or state tax agencies that there is a problem with your filing or that a filing has already been made in your name, you may not have any issues with the receipt of your 2016 return, but we encourage you to monitor your accounts for suspicious activity and confirm with the filing agencies or your accountant that your previously filed return has been accepted.

7. What are some steps I can take to protect my information?

We encourage potentially impacted individuals to monitor their identities, financial accounts, and credit reports. Steps an individual can take to protect against identity theft and fraud include:

• Monitor your financial statements carefully, and if you see any unauthorized activity, promptly contact your bank, credit union, or credit card company. Look for inquiries from companies you haven't contacted, accounts you didn't open, and debts on your accounts that you can't explain.

• File your tax return as soon as possible.

• Contact the IRS at www.irs.gov/Individuals/Identity-Protection for helpful information and guidance on steps you can take to prevent a fraudulent tax return from being filed in your name and what to do if you become the victim of such fraud. You can also visit https://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft for more information.

• Monitor your credit reports for suspicious or unauthorized activity. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report:

Equifax Experian TransUnion P.O. Box 105069 P.O. Box 2002 P.O. Box 2000 Atlanta, GA 30348 Allen, TX 75013 Chester, PA 19022 800-525-6285 888-397-3742 800-680-7289 www.equifax.com www.experian.com www.transunion.com

• Contact law enforcement to report suspicious activity or incidents of identity theft and fraud.

• Contact the Federal Trade Commission or your state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580, www.identitytheft.gov, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them.

• If you suspect unauthorized activity, place a “fraud alert” or a “credit freeze” on your credit reports. You can find out more information from the Federal Trade Commission about fraud alerts and freezing your credit files, at: www.ftc.gov. To place a fraud alert or freeze on your credit files, contact the three credit reporting agencies listed above. Placing a fraud alert entitles you to free copies of your credit reports. A fraud alert is a signal placed in your credit report to warn potential creditors that they must use what the law calls “reasonable policies and procedures” to verify your identity before they issue credit in your name. To find our more on how to place a security freeze, you can use the following contact information:

Equifax Security Freeze Experian Security Freeze TransUnion P.O. Box 105788 P.O. Box 9554 P.O. Box 2000 Atlanta, GA 30348 Allen, TX 75013 Chester, PA 19016 1-800-685-1111 1-888-397-3742 1-888-909-8872 https://www.freeze.equifax.com www.experian.com/freeze/ www.transunion.com/

• Monitor for misuse of Social Security Benefits. You can create an account at https://www.socialsecurity.gov/myaccount/ to monitor for any actual or attempted misuse. If they see an error or attempted misuse of social security benefits, you can go to your local Social Security Office for assistance. Local offices can be found using the following office locator - https://secure.ssa.gov/ICON/main.jsp.

• If you are concerned someone may file for Social Security in your name, we would suggest that you create an account at https://www.socialsecurity.gov/myaccount/ to monitor for any actual or attempted misuse. If they see an error or attempted misuse of social security benefits, you can go to your local Social Security Office for assistance. Local offices can be found using the following office locator - https://secure.ssa.gov/ICON/main.jsp

8. There are fraudulent charges on my credit/debit card. What do I do?

This incident did not impact the security of any credit or debit card information. Nevertheless, you should immediately contact your bank or financial institution if you identify any fraudulent or suspicious charges on your credit or debit card. They’ll give you instructions on how to dispute the charges and have a new account issued to avoid any further suspicious activity. Incidents of identity theft should also be reported to your local law enforcement.

9. What is the purpose of a “fraud alert”?

A fraud alert tells creditors to take steps to verify identity before they open a new credit account under your Social Security number.

10. What is the purpose of a security freeze?

A security freeze is designed to prevent a credit reporting company from releasing your credit report without your consent.

11. Should I check my credit report?

You should monitor your credit report regardless of whether your information has been exposed or you think you may be a victim of identity theft or fraud. Every U.S. consumer over the age of eighteen can receive one free credit report every twelve months by contacting one of the three national credit bureaus or

through the Annual Credit Report Service by visiting www.annualcreditreport.com or calling toll-free, 1-877-322-8228.

12. I think I may be a victim of identity theft. What should I do?

If you believe you are a victim of attempted or actual identity theft or fraud, we encourage you to take the following steps:

• Contact your financial institution to protect or close any accounts that have been tampered with or opened fraudulently.

• Contact the credit reporting agencies to place a “fraud alert” or a “credit freeze” on your credit reports.

• File a police report and ask for a copy for your records. • File a complaint with the Federal Trade Commission at: https://www.identitytheft.gov/. • File a complaint with your state attorney general. • Keep good records.

o Keep notes of anyone you talk to regarding this incident, what s/he told you, and the date of the conversation;

o Keep originals of all correspondence or forms relating to the suspicious activity, identity theft, or fraud; and

o Retain originals of supporting documentation, such as police reports and letters to and from creditors; send copies only.

• Keep old files, even if you believe the problem is resolved.

13. Am I going to receive a letter about this incident?

If you are impacted, we are sending you a letter with more information about the event and what you could do to better protect against identity theft and fraud if you feel it is appropriate to do so.

EXHIBIT C

R2801 v.03 03.28.2017

Return Mail Processing Center Promotion Code: <<credit monitoring code>>PO Box 6336Portland, OR 97228-6336

<<Mail ID>><<Name>><<Address1>><<Address2>><<City>>,<<State>><<Zip>> <<Date>>

Re: Notice of Data Security Incident

Dear <<Name>>:

I am writing in follow up to our prior communications to make you aware of a recent email phishing attack that may affect the security of your personal information. We take this incident very seriously and are providing you with information and access to resources so that you can protect your personal information, should you feel it is appropriate to do so.

What Happened? We recently discovered that, on March 17, 2017, our company was the victim of an email spoofing attack by an individual or individuals pretending to be our Owner. A request was made from what appeared to be a legitimate CFG Community Bank (“CFG”) email address for 2016 CFG employee W-2 information. Unfortunately, a file containing names, Social Security numbers, and year to date earnings from 2016 employee W-2 forms was provided before we discovered that the request was fraudulent. We discovered the fraudulent nature of the request on March 18, 2017 and have been working diligently to investigate and to mitigate the impact of the attack.

What Information Was Involved? A file containing information from your IRS Tax Form W-2, was sent in response to the fraudulent email. This file included the following categories of information: (1) your name; (2) your Social Security number; and (3) your year to date earnings. Other than information contained on the IRS Tax Form W-2, no personal financial information was emailed to the external email account.

What We Are Doing. The confidentiality, privacy, and security of our employee information is one of our highest priorities. CFG has security measures in place to protect the security of information in our possession. As part of our ongoing commitment to the security of personal information in our care, we are working to implement additional safeguards and provide additional mandatory training to our employees on safeguarding the privacy and security of information on our systems. We have reported this incident to the IRS, state tax agencies, the FBI, the Maryland Attorney General’s Office, the Federal Reserve Board, the Maryland State Banking Commission, Federal Trade Commission, and the Baltimore County Police.

As an added precaution, we are offering you access to 24 months of credit monitoring and identity theft protection services through Equifax at no cost to you. The cost of this service will be paid for by CFG. We strongly encourage you to take steps to enroll in these services as we are not able to act on your behalf to enroll you in the credit monitoring. More information on these services and instructions on how to enroll can be found in the enclosed Steps You Can Take to Prevent Identity Theft and Fraud.

What You Can Do. You can review the enclosed Steps You Can Take to Prevent Identity Theft and Fraud. You can also enroll to receive the free credit monitoring and identity restoration services described above. In addition, we strongly encourage you to file your 2016 tax return as soon as possible, if you have not already done so.

For More Information. We understand that you may have questions about this incident that are not addressed in this letter. If you have additional questions, please call 844-469-3940.

R2802 v.03 03.28.2017

CFG Community Bank takes the privacy and security of the personal information in our care seriously. We sincerely regret any inconvenience or concern this incident has caused you.

Sincerely,

Casaundra Leonard Human Resources Director 1422 Clarkview Road Baltimore, MD 21209

R2803 v.03 03.28.2017

STEPS YOU CAN TAKE TO PREVENT IDENTITY THEFT AND FRAUD

While we continue to investigate, you may take direct action to further protect against possible identity theft or fraud.

As a precaution, we are offering you access to 24 months of credit monitoring and identity theft protection services through Equifax at no cost to you. The cost of this service will be paid for by CFG. To enroll, follow the instructions below:

Activation Code: <<INSERT Credit Monitoring Code>>

About the Equifax ID Patrol identity theft protection product

ID Patrol will provide you with an “early warning system” to changes to your credit file and help you to understand the content of your credit file at the three major credit-reporting agencies. Note: You must be over age 18 with a credit file in order to take advantage of the product.

ID Patrol provides you with the following key features and benefits: ○ Comprehensive credit file monitoring and automated alerts of key changes to your Equifax, Experian, and

TransUnion credit reports ○ Wireless alerts and customizable alerts available (available online only) ○ One 3-in-1 Credit Report and access to your Equifax Credit Report™ ○ Ability to receive alerts if your Social Security Number or credit card numbers are found on Internet trading

sites (available online only) ○ Ability to lock and unlock your Equifax Credit Report™ (available online only) ○ Up to $1 million in identity theft insurance with $0 deductible, at no additional cost to you* ○ 24 by 7 live agent Customer Service to assist you in understanding the content of your Equifax credit

information, to provide personalized identity theft victim assistance and in initiating an investigation of inaccurate information.

○ 90 day Fraud Alert placement with automatic renewal functionality† (available online only)

How to Enroll: You can sign up onlineTo sign up online for online delivery go to www.myservices.equifax.com/patrol

1. Welcome Page: Enter the Activation Code provided at the top of this page in the “Activation Code” box and click the “Submit” button.

2. Register: Complete the form with your contact information (name, gender, home address, date of birth, Social Security Number and telephone number) and click the “Continue” button.

3. Create Account: Complete the form with your email address, create a User Name and Password, check the box to accept the Terms of Use and click the “Continue” button.

4. Verify ID: The system will then ask you up to four security questions to verify your identity. Please answer the questions and click the “Submit Order” button.

5. Order Confirmation: This page shows you your completed enrollment. Please click the “View My Product” button to access the product features.

* Identity Theft Insurance underwritten by insurance company subsidiaries or affiliates of American International Group, Inc. The description herein is a summary and intended for informational purposes only and does not include all terms, conditions and exclusions of the policies described. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions. This product is not intended for minors (under 18 years of age). † The Automatic Fraud Alert feature made available to consumers by Equifax Information Services LLC and fulfilled on its behalf by Equifax Consumer Services LLC

R2804 v.03 03.28.2017

We strongly encourage you to take steps to enroll in these services as we are not able to act on your behalf to enroll you in the credit monitoring.

We strongly encourage you to file your tax return as soon as possible, if you have not already done so. You can also contact the IRS at www.irs.gov/Individuals/Identity-Protection for helpful information and guidance on steps you can take to prevent a fraudulent tax return from being filed in your name and what to do if you become the victim of such fraud. You can also visit www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft for more information.

We encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports and explanation of benefits forms for suspicious activity. Under U.S. law, you are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report.

At no charge, you can also have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it may also delay your ability to obtain credit while the agency verifies your identity. As soon as one credit bureau confirms your fraud alert, the others are notified to place fraud alerts on your file. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact any one of the agencies listed below.

EquifaxP.O. Box 105069Atlanta, GA 30348800-525-6285www.equifax.com

ExperianP.O. Box 2002Allen, TX 75013888-397-3742www.experian.com

TransUnionP.O. Box 2000Chester, PA 19106800-680-7289www.transunion.com

Once enrolled, you can also place a Fraud Alert through your Equifax membership by following these instruction:

• To place a fraud alert on your credit file, visit: www.fraudalerts.equifax.com or you may contact the Equifax auto fraud line at 1-877-478-7625, and follow the simple prompts.

• Once the fraud alert has been placed with Equifax, a notification will be sent to the other two credit reporting agencies, Experian and Trans Union, on your behalf.

You may also place a security freeze on your credit reports. A security freeze prohibits a credit bureau from releasing any information from a consumer’s credit report without the consumer’s written authorization. However, please be advised that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit mortgages, employment, housing, or other services. If you have been a victim of identity theft and you provide the credit bureau with a valid police report, it cannot charge you to place, lift, or remove a security freeze. In all other cases, a credit bureau may charge you a fee to place, temporarily lift, or permanently remove a security freeze. You will need to place a security freeze separately with each of the three major credit bureaus listed above if you wish to place a freeze on all of your credit files. In order to request a security freeze, you will need to supply your full name, address, date of birth, Social Security number, current address, all addresses for up to five previous years, email address, a copy of your state identification card or driver’s license, and a copy of a utility bill, bank or insurance statement, or other statement proving residence. Fees vary based on where you live, but commonly range from $3 to $15. To find out more on how to place a security freeze, you can use the following contact information:

Equifax Security Freeze P.O. Box 105788 Atlanta, GA 30348 1-800-685-1111 (NY residents: 800-349-9960)https://www.freeze.equifax.com

Experian Security Freeze P.O. Box 9554Allen, TX 750131-888-397-3742www.experian.com/freeze/

TransUnionP.O. Box 2000Chester, PA 191061-888-909-8872https://www.transunion.com/ credit-freeze/place-credit-freeze

You can further educate yourself regarding identity theft, fraud alerts, security freezes, and the steps you can take to protect yourself against identity theft, by contacting the Federal Trade Commission or your state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. For Maryland residents, the Attorney General can be reached at: 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; 1-888-743-0023; and www.oag.state.md.us. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by

R2805 v.03 03.28.2017

way of the contact information listed above. You have the right to file and obtain a police report if you ever experience identity theft or fraud. Please note that in order to file a crime report or incident report with law enforcement for identity theft, you will likely need to provide some kind of proof that they have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement. This notice has not been delayed by law enforcement.