Connecticut Breach of Data Security
Conn. Gen. Stat. § 36a-701b
SUMMARY:
EFFECTIVE. January 1, 2006
WHO DOES THIS LAW APPLY TO. (1) Any person that conducts business in Connecticut and owns or licenses unencrypted computerized data that includes Personal Information; and (2) any person that maintains computerized data that such person does not own which includes Connecticut resident’s Personal Information, whether or not, the entity conducts business in Connecticut.
WHAT IS A BREACH. Unauthorized acquisition of or access to unencrypted or unredacted electronic files, media, databases, or computerized data containing Personal Information.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements:
-
Social Security Number.
-
Driver’s license number or state identification card number.
-
Taxpayer identification number or PIN issues by the IRS.
-
Passport number, military identification number, or other identification number issued by the government.
-
Account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
Medical information to include mental or physical condition, treatments, and diagnosis.
-
Health insurance policy number or any unique identifier use by a health insurer.
-
Biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina, or iris image.
-
Username or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
Personal Information does not include publicly available information, information that is lawfully available from Federal, State, or local government records, or widely distributed media.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the affected Connecticut residents. No notification is required if a person reasonably determines, after investigation and consultation with Federal, State, and local agencies responsible for law enforcement, that the data breach is not likely to result in harm to the affected individuals. When the entity is required to notify Connecticut residents, shall also notify the Attorney General of the breach, no later than the time the notice is provided to the resident.
EXCEPTION. This Section does not apply to the following:
-
Any person who maintains their own notice procedures as part of a Personal Information security policy which is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected individuals are notified by the person in accordance with such policies.
-
Any person who is regulated by State or Federal laws (HIPPA and HITECH) and maintains procedures for a security breach pursuant to the State or Federal laws or rules (as defined in 15 USC 6809(2)), is considered in compliance with this Section provided such person notifies the affected individuals in accordance with such policies.
WHEN TO NOTIFY OF THE BREACH. Notification must be made without unreasonable delay, no later than sixty (6) days from discovery of the breach. Consistent with any measures necessary to determine the scope of the breach, identify the individuals affected, and to restore integrity to the data system. Notification may be delayed if it will impede a criminal investigation and requested by law enforcement. In that instance, notification will be made as soon as possible following clearance by law enforcement.
-
If the person identifies additional residents of this state whose personal information was breached or reasonably believed to have been breached following sixty days after the discovery of such breach, the person shall proceed in good faith to notify such additional residents as expediently as possible.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Telephonic.
-
Electronic notice (if consistent with provisions regarding electronic records and signatures provided in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
-
If a Connecticut resident’s Social Security number is believed to have been compromised in the data breach, it is required that the resident be offered 24 months of credit monitoring services and, if applicable, identity theft mitigation services and provided at no cost to such resident. As of October 1, 2021, this requirement extends to breaches involving Taxpayer Identification Numbers. See Conn. Gen. Stat. § 36a-701(b)(2)(B). Such person shall provide all information necessary for such resident to enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident's credit file.
-
In the event of a breach of login credentials, notice to a resident may be provided in electronic or other form that directs the resident whose personal information was breached or is reasonably believed to have been breached to promptly change any password or security question and answer, as applicable, or to take other appropriate steps to protect the affected online account and all other online accounts for which the resident uses the same user name or electronic mail address and password or security question and answer.
-
Any person that furnishes an electronic mail account shall not comply with this section by providing notification to the electronic mail account that was breached or reasonably believed to have been breached if the person cannot reasonably verify the affected resident's receipt of such notification. In such an event, the person shall provide notice by another method described in this section or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet protocol address or online location from which the person knows the resident customarily accesses the account.
SUBSTITUTE NOTICE AVAILABLE. If the person can demonstrate that the cost of providing notice will exceed $250,000, the affected individuals to be notified exceeds 500,000, or the person or business does not have sufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email, if the person or business has an email address for the affected individual.
-
Conspicuous posting of the notice on the website of the person or business.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person maintains computerized data that includes Personal Information and the person does not own, then the person shall notify the owner or licensee of the information concerning the breach immediately following its discovery. The person or entity that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. Failure to comply with this Section constitutes an unfair trade practice and shall be enforced by the Attorney General. The Attorney General may seek direct damages and injunctive relief.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES. Public Act No. 21-119. As of October 1, 2021, Connecticut businesses will enjoy statutory protection from the assessment of punitive damages in cases that allege failure to protect personal and confidential information, provided reasonable cybersecurity controls are in place. The Act seeks to incentivize greater adoption of cybersecurity standards by businesses in the state by providing guidance as to reasonable cybersecurity controls, and protecting businesses that implement those controls.
DATA DISPOSAL PROVISIONS. Conn. Gen. Stat. § 42-471. Safeguarding of personal information. Social Security numbers. Privacy protection policy. Civil penalty. (a) Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.
LEGISLATIVE UPDATES.
S.B. 650 – Signed into law on 6/8/2005, Effective 1/1/2006.
H.B. 6001 – Signed into law on 6/15/2012, Effective 10/1/2012.
S.B. 949 – signed into law on 6/30/2015, Effective 10/1/2015.
S.B. 472 – signed into law 6/4/2018, Effective 10/1/2018
H.B. 5310 – signed into law 6/16/2021, Effective 10/1/2021.
For more information, see here: https://cga.ct.gov/current/pub/chap_669.htm#sec_36a-701b
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.