Share this article on:
Gov. Dannel P. Malloy is poised to sign Senate Bill 949 which will introduce even stricter data privacy and security requirements in Connecticut, as well as for any organization doing business with Connecticut residents.
The bill has been introduced to increase protection for consumers in the wake of the high volume of data breaches that have affected the state – and the country as a whole – over the past few years.
Current state laws require organizations to notify breach victims of an information breach ”without unreasonable delay.” Some organizations, such as those covered under the Health Insurance Portability and Accountability Act (HIPAA), have stricter reporting requirements. Federal laws will continue to preempt state laws on healthcare data breaches.
Connecticut Residents to be Better Protected by Mandatory Data Breach Response
HIPAA requires covered entities to issue data breach notification letters to all affected individuals “without reasonable delay”, although a maximum time limit of 60 days is allowed. However, some industries do not face the same strict regulations on data security and breach notifications, and few demands are placed on them to report breaches. This is about to change.
Senate Bill 949 has already received senate approval, and all that remains before the bill becomes law is for Malloy to add his signature. The new bill introduces a number of changes, most notably regarding the data breach response.
Once the bill is passed, businesses will be required to issue breach notification letters to Connecticut residents within 90 days of the discovery of a breach of Social Security numbers, Drivers’ license numbers, state ID card numbers, credit and debit card details or security codes and passwords.
Another new change makes it mandatory for identity-theft protection services to be offered to breach victims for a minimum period of one year. There is no such requirement at present. While identity-theft protection will be required, the new bill does not go as far as to stipulate what services must be included. For example, an organization could decide whether to just provide credit monitoring services and credit alerts or also to offer fraud remediation services. A year of cover is the minimum term acceptable. Certain data breaches will require two years of data protection.
Connecticut state Attorney General, George Jepsen, commented on the lack of specificity saying “I continue to have enforcement authority to seek more than one year’s protection — and to seek broader kinds of protection — where circumstances warrant,” he went on to say, “Indeed, in matters involving breaches of highly sensitive information, like Social Security numbers, my practice has been to demand two years of protections. I intend to continue to that practice.”
With HIPAA placing a 2-month window on data breach reporting, it is strange perhaps that a 90-day window has been allowed, but this is the maximum allowable time. The Attorney General does have some flexibility for issuing fines if any delay appears tardy, even if it is made within the new breach reporting window.
If the full 90-day limit is taken, the covered entity must have a good reason for delaying. According to Jepsen, should an organization “unduly delay notifying those whose data has been compromised or my office,” penalties are likely to follow.