Connecticut Legislature Enhances Data Breach Notification Law

The Connecticut legislature has enhanced its data breach notification law, expanding the definition of personal information and shortening the maximum time frame for issuing breach notifications. The new law brings the data breach notification requirements in the state of Connecticut in line with those of other states that have recently updated their own privacy and security laws. The new data breach notification law was unanimously passed by the House of Representatives and the Senate and now awaits state Governor Ned Lamont’s signature.

“Connecticut has led the nation in data privacy for over a decade, and this legislation ensures that we will continue to do so. Since we passed one of our nation’s first laws protecting consumers from online data breaches, technology and risks have evolved,” said Attorney General William Tong.This legislation ensures that our laws reflect those evolving risks and continue to offer strong, comprehensive protection for Connecticut residents,”

Previously, notification letters were only required for breaches of an individual’s first name or initial and last name in combination with either a state ID card number, driver’s license number, Social Security number, credit or debit card number, or a financial account number with codes or passwords that would allow the account to be accessed.

The definition of personal data has now been expanded to also include the following data elements:

  • Taxpayer identification number
  • IRS Identity protection personal identification number
  • Passport number
  • Military identification number
  • Other government-issued identification number used for identity verification
  • Medical information: Medical history, mental or physical health condition, diagnoses, and treatment information
  • Health insurance policy/subscriber number
  • Biometric information used to authenticate an individual’s identity: e.g., Fingerprints, voice print, retina or iris image
  • Username or electronic mail address if combined with a password or security question and answer that allows the account to be accessed

Previously, businesses experiencing a breach of personal data were required to send notifications to affected Connecticut residents and the state Attorney General within 90 days of the discovery of a breach. That time frame has now been shortened to 60 days, but notifications should be issued without unreasonable delay. If it is not reasonably believed that it will be possible to identify affected individuals and obtain contact information within 60 days, a substitute breach notice is required.

In the event of a breach of login credentials that allows an account to be accessed, electronic or other forms of notifications must be issued that direct affected individuals to change their password or security questions and answers, or take other steps to protect the affected account.

All entities required to comply with the Health Insurance Portability and Accountability Act (HIPAA) or the HITECH Act are deemed to be in compliance with the new data breach notification law if they are compliant with the requirements of those acts.

Any documents or material collected in connection with the investigation of a security breach is exempt from public disclosure, although can be made available to third parties at the discretion of the Attorney General in connection with the furtherance of an investigation.

The amendments to data breach notification law in Connecticut will take effect on October 1, 2021 if the bill is signed by the state governor.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.