A Data Breach Notification Law is Coming for Connecticut

State lawmakers across the country prioritize privacy and security issues, and Connecticut is no exception. This week Connecticut Attorney General William Tong announced the passage of a data breach law, a move that will improve and strengthen Connecticut’s data breach notification law. The Connecticut House of Representatives unanimously approved the bill on May 27, and the Senate unanimously followed suit shortly thereafter. The bill is now going to Governor Ned Lamont for signage.

Connecticut has been a leader in data protection for over a decade, and this legislation ensures we will continue to do so. Since we passed one of the first laws in our country to protect consumers from online privacy breaches, technology and risk have evolved. This legislation ensures that our laws reflect evolving risks and continue to provide strong, comprehensive protection for Connecticut residents.

Attorney General Tong noted in his announcement of the Data Protection Breach Notification Act.

Key aspects of Connecticut’s Extended Data Protection Act include:

Extension of the definition of “personal data”

Connecticut originally defined “Personally Identifiable Information” as a person’s first name or first name and surname combined with one or more of the following:

    • Social security number

    • Driver’s license number

    • State ID number

    • Credit or debit card number

    • Financial account number in combination with a required security code, access code or password that enables access to such a financial account.

When the new law goes into effect, it will look more like similar laws in California and Florida in that it includes additional categories of data:

    • Individual tax identification number

    • Personal identification number for identity protection issued by the IRS

    • Passport number, military identification number, or other government-issued identification number used for identity verification

    • Medical information about a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health professional

    • Health insurance policy number or subscriber identification number or a unique identifier for a health insurance company to identify the person

    • Biometric information consisting of data generated by electronic measurements of a person’s unique physical characteristics and used to authenticate or establish the person’s identity, such as fingerprints, voice prints, retinal or iris images; and

    • Username or email address, in combination with a password or a security question and answer that enables access to an online account.

Notification time and content

The new law would reduce the time a company has to notify affected Connecticut residents and the attorney general of a data breach from 90 days to 60 days. Remember that, as with most other violations reporting mandates, the time requirement in this case is “without undue delay but no later than 60 days”. In addition, if the identification of a resident of the state whose personal information has been breached or who was reasonably believed to be breached is not completed within 60 days, the company must provide a preliminary replacement notice in accordance with legal requirements and work on it in good faith to identify affected residents and to inform them directly as quickly as possible. The emergency response plans would need to be reviewed to ensure that this requirement is met.

Login data violation

The new law would add a section dealing with unique notification requirements in the event of a credential breach. In such event, a notification may be sent to an affected resident in electronic or other form instructing the resident to immediately change their password or security questions and answers, or to take other appropriate steps to protect the affected online account or account undertake the same access data.

Exception from HIPAA and HITECH law

Anyone who is subject to and complies with the data protection and security obligations of HIPAA and / or the HITECH Act is deemed to be compliant with the new law, with a few critical exceptions. First, as under the New York SHIELD Act, a person subject to HIPAA or HITECH must notify Connecticut residents of a data breach under HITECH while notifying the Connecticut Attorney General if residents are notified. Second, if the individual had been required to prevent and / or contain identity theft for a period of 24 months under Connecticut law, that requirement remains.

Investigation materials

Under the new law, documents, materials and information related to an investigation into a security breach are exempt from public disclosure unless they are required to be made available to third parties by the Attorney General in support of the investigation.

This new law, when signed, keeps Connecticut in line with other states across the country, and is currently improving its data breach notification laws in light of recent large-scale data breaches and heightened public awareness. Companies in the United States should evaluate and improve their ability to prevent and respond to data breaches.

© 2021National Law Review, Volume XI, Number 160

Comments are closed.