Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Connecticut - Sectoral Privacy Overview
Back

Connecticut - Sectoral Privacy Overview

May 2022

1. RIGHT TO PRIVACY/ CONSTITUTIONAL PROTECTION 

There is no constitutional protection or right to privacy specific to Connecticut outside of the key privacy laws mentioned below.

2. KEY PRIVACY LAWS

The key privacy laws include:

Additional Sections provide specific rules for state contractors and insurance companies:

Scope of Application and Key Definitions

Data Breach Law

Under the Data Breach Law, electronic personal information is protected. Personal information is defined as an individual's first name or first initial and last name in combination with one, or more, of the following data:

  • social security number;
  • driver's license number or state identification card number;
  • account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
  • individual taxpayer identification numbers, such as social security numbers, or identity protection personal identification numbers issued by the Internal Revenue Service ('IRS');
  • passport numbers, military identification numbers, or other identification numbers used by the government to verify an individual's identity;
  • medical information regarding an individual's medical history, including their mental or physical condition, treatment, or diagnoses;
  • health insurance policy information, including policy numbers, subscriber identification numbers, and any other unique identifiers issued by the insurer;
  • biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain an individual's identity, such as fingerprints, voiceprints, and retina or iris images; and
  • usernames or email addresses combined with a password or security question and answer that would permit access to an online account.

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records, or widely distributed media.

Under the same statute, a breach of security is defined as an unauthorised access to, or unauthorised acquisition of electronic files, media, databases, or computerised data, containing personal information when access to the personal information has not been secured by encryption, or by any other method or technology that renders the personal information unreadable or unusable. In the event of a breach of security, notification is required to the Connecticut Attorney General ('AG') and the affected resident(s) without unreasonable delay, but in no event, later than 60 days after discovery. If, following 60 days after the discovery of a breach, additional residents are identified whose personal information was breached, or reasonably believed to have been breached, notification must be made expediently. Notification is not required if, after an appropriate investigation, the entity reasonably determines that the breach of security is unlikely to result in harm to the affected individual.

However, this timeframe would not apply if a shorter time period is required under a federal law such as the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') or the Health Information Technology for Economic and Clinical Health Act ('HITECH'). Entities that are required to comply with HIPAA and HITECH notification requirements must nonetheless notify the AG and provide individuals with appropriate identity theft prevention services, in accordance with the statutory requirements.

If a breach of security involves social security or tax identification numbers, the business must provide each affected individual with at least 24 months of identity theft prevention services and mitigation services at no cost to the affected individual. The business must also provide the individual with all necessary information required for the individual to enroll in the offered services as well as how to place a credit freeze on their affected file.

If a breach of security involves an individual's username or email address, in combination with a password or security question and answer that would permit access to an online account, the business must direct the individual to promptly change any password or security question and answer. The business should also direct the individual to take other appropriate steps to protect the affected online account and any other online accounts in which the individual uses the same username, email address, password or security question and answer.

Personal Information Safeguarding Law

Under the Personal Information Safeguarding Law, paper or electronic personal information is protected. Personal information under this statute is defined slightly differently than in the Data Breach Law. Personal information is defined as 'information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a social security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number, a health insurance identification number or any military identification information, and does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.'

Social security numbers are protected by the Social Security Number Law.

Insurance Data Security Law

Under the Insurance Data Security Law, non-public information is protected. Non-public information is defined as data and information, other than publicly available information, that concerns a consumer's age or gender, which concerns the business of a licensee and that, if accessed, disclosed, or tampered with without authorisation would have a material adverse impact on the business, operations, or security of a licensee. 

Who Must Comply?

Data Breach Law

Under the Data Breach Law, any person who conducts business in the state of Connecticut, and who, in the ordinary course of such person's business, owns, licenses, or maintains computerised data, that includes personal information, must comply with the obligations outlined in the Data Breach Law. However, entities that are subject to and in compliance with the privacy and security standards under HIPAA and HITECH may be exempt from particular provisions.

Personal Information Safeguarding Law

Under the Personal Information Safeguarding Law, any person who possesses personal information must safeguard any data, computer files, and documents containing personal information from being misused by third parties. The person in possession of personal information is required to destroy, erase, or make any data unreadable prior to disposing of data, computer files, and documents. Additionally, any person who collects social security numbers in the course of business is subject to the Personal Information Safeguarding Law.

Insurance Data Security Law

Under the Insurance Data Security Law, any person who is licensed, authorised to operate or registered, or required to be, under Connecticut insurance laws, must develop, implement, and maintain a comprehensive written information security program ('ISP'). Businesses such as domestic insurers, health care centers, and any others that are licensed by the Connecticut Insurance Department must comply. Specifically, licensees must have an ISP in place based on a risk assessment that contains safeguards for protection of non-public information and must utilise an information system that can adequately handle the size and complexity of their activities.

Lastly, businesses with state contracts also need to be aware of contractual provisions as well as the requirement to have a comprehensive data security program under the State Contractors Law, and the Confidential Information Sharing Law.

Enforcement

The Privacy and Data Security Department of the AG enforces the state laws governing notification of data breaches, safeguarding of personal information, and protection of social security numbers and other sensitive information. This department is also responsible for enforcement of federal laws under which the AG has enforcement authority, including HIPAA, the Children's Online Privacy Protection Act of 1998 ('COPPA'), and the Fair Credit Reporting Act of 1970 ('FCRA'). This office can investigate data breaches and bring claims under the Connecticut Unfair Trade Practices Act ('CUTPA'), under Chapter 735a of Title 42 of the Conn. Gen. Stat., or seek settlements with offending parties. There are separate penalties for violations of the Social Security Law and the Personal Information Safeguarding Law.

3. HEALTH DATA

Connecticut has, in its evidentiary rules, in Chapter 889 of Title 52 of the Conn. Gen. Stat., a series of laws that protect communications and records disclosed between a patient and their mental health provider. Depending on the provider type (e.g. psychiatrist, physician, psychologist, social worker, marital and family therapist, etc.), these statutes differ slightly in how each defines terms like 'communication' and 'record', as well as the circumstances where the patient's consent is not required prior to disclosure of such communications and records. While these statutes are in the evidentiary rules, health care providers in Connecticut afford greater protection to mental health records due to these laws, as the protections offered in the statutes are stricter than HIPAA. However, if violated, it is unclear how Connecticut would enforce these laws outside of permitting or excluding evidence in a case. 

§20-7c of Chapter 369 of Title 20 of the Conn. Gen. Stat. governs patients' right to access their health record, and provides limited exceptions for a provider to withhold information from the health record if a provider determines that the information would be detrimental to the physical or mental health of the patient, or is likely to cause the patient to harm themselves or another individual.

There are also Connecticut laws that allow minors to consent to certain medical treatment, and to keep such medical treatment confidential, subject to certain restrictions:

§19a-550 of Chapter 368v of Title 19a of the Conn. Gen. Stat. is the patients' bill of rights for those individuals who are patients of a nursing home, residential care home, or chronic disease hospital. This statute assures confidential treatment of personal and medical records and certain rights regarding the release of records to individuals outside of the facility.

4. FINANCIAL DATA

The key law governing financial privacy in Connecticut is the Banking Law of Connecticut under Title 36a of the Conn. Gen. Stat. ('the Banking Law').

Key Definitions

§36a-41 of the Banking Law defines a financial institution as a bank, Connecticut credit union, federal credit union, an out-of-state bank that maintains a branch in Connecticut, and an out-of-state credit union that maintains an office in Connecticut.

Financial records are defined as any original or any copy, whether physically or electronically retained, of (§36a-41 of the Banking Law):

  • a document providing signature authority over a deposit account or a share account with a financial institution;
  • a statement, ledger card, or other record on any deposit account or share account with a financial institution showing each transaction in or with respect to that account;
  • any check, draft, or money order drawn on a financial institution or issued and payable by such an institution; or
  • any item, other than an institutional or periodic charge, made pursuant to any agreement by a financial institution and a customer which constitutes a debit or credit to that person's account with that financial institution, if the information does not consist of a check, draft, or money order payable by the financial institutions.

Financial Institution Requirements

Additionally, Connecticut law requires financial institutions (banks, state, and federal credit unions, out-of-state banks, trusts and credit unions that have a branch/office in Connecticut, Connecticut banking law licensees or other entity subject to the Banking Commissioner's jurisdiction) to comply with the Gramm-Leach-Bliley Act of 1999 provisions on customer privacy and protection of non-public information under §36a-44a of the Banking Law on customer protections.

With some exceptions, this prohibits financial institutions from disclosing customer financial records without the customer's authorisation. §36a-42 of the Banking Law enumerates eight such exceptions, §36a-43 of the Banking Law discusses the requirements to disclose financial records pursuant to lawful authority, and §36a-44 of the Banking Law sets forth 18 additional exceptions regarding the confidential treatment of customer records.

Lastly, banking and account information are part of the definition of personal information in the Data Breach Law.

Violations

Known and wilful violations of the abovementioned statutes can result in a Class C misdemeanour.

§53a-36 of Chapter 952 of Title 53a of the Conn. Gen. Stat. defines penalties for a Class C misdemeanour as an imprisonment that cannot exceed three months.

§53a-42 of Chapter 952 of Title 53a of the Conn. Gen. Stat. defines penalties for a Class C as a fine of an amount not to exceed $500. 

5. EMPLOYMENT DATA

Key Laws

Under §31-40x(b) of Chapter 557 of Title 31 of the Conn. Gen. Stat., employers may not:

  • request or require that an applicant or employee give an employer their username and password, password, or any other means of authentication to access a personal online account;
  • request or require that an applicant or employee access or authenticate a personal online account in the employer's presence; or
  • require an applicant or employee to invite the employer or accept an invitation from the employer to join a group affiliated with any of the applicant's or employee's personal online accounts.

An employer may not retaliate against an applicant or employee because they refuse any of the above prohibited requests, or because they file or cause to be filed any compliant with a court concerning the employer's violation of this statute.

There are exceptions to these prohibitions:

  • an employer is not precluded from complying with applicable law;
  • an employer is not prohibited from conducting an investigation to ensure compliance with applicable law or prohibitions against work-related conduct when it receives specific information about activity on an employee's or applicant's personal online account;
  • an employer may conduct an investigation accessing a personal online account about an employee's or applicant's unauthorised transfer of such employer's proprietary information, confidential information, or financial data to or from a personal online account operated by an employee, applicant, or other source; and
  • monitoring, reviewing, accessing, or blocking electronic data stored on an electronic communications device paid for, in whole or in part, by an employer, or traveling through or stored on an employer's network, in compliance with state and federal law.

Any employer conducting an investigation pursuant to this statute may require an employee or applicant to allow the employer to access their personal online account for the purpose of conducting such investigation, provided the employer shall not require such employee or applicant to disclose the username and password, password, or other authentication means for accessing such personal online account.

Under Conn. Gen. Stat. §31-40x(a)(5), a 'personal online account' is defined as any online account that is used by an employee or applicant exclusively for personal purposes and unrelated to any business purpose of such employee's or applicant's employer or prospective employer, including, but not limited to, electronic mail, social media, and retail-based internet websites. A personal online account does not include any account created, maintained, used, or accessed by an employee or applicant for a business purpose of such employee's or applicant's employer or prospective employer.

Under §31-48d(a)(3) of Chapter 557 of Title 31 of Conn. Gen. Stat., 'electronic monitoring' is defined as the collection of information on an employer's premises concerning employees' activities or communications by any means other than direct observation, including the use of a computer, telephone, wire, radio, camera, electromagnetic, photoelectronic or photo-optical systems. However, it does not include the collection of information for security purposes in common areas of the employer's premises which are held out for use by the public, or which is prohibited under state or federal law.

Enforcement

The Connecticut Labor Commissioner ('the Labor Commissioner') may investigate violations of Conn. Gen. Stat. §31-40x. If the Labor Commissioner finds that an employee has been aggrieved by an employer's violation of this statute, the Labor Commissioner may impose on the employer a civil penalty of up to $500 for the first violation and $1000 for each subsequent violation, and may award the employee all appropriate relief including rehiring or reinstatement to their previous job, payment of back wages, reestablishment of employee benefits, or any other remedies that the Labor Commissioner may deem appropriate. If the Labor Commissioner finds that an applicant has been aggrieved by an employer’s violation of this statute, the Labor Commissioner may impose on the employer a civil penalty up to $25 for the first violation and $500 for each subsequent violation. There is no private right of action.

Pursuant to Conn. Gen. Stat. §31-48d, employers must provide written notice to employees before engaging in electronic monitoring. The notice must inform employees of any type of monitoring the employer may utilise. Employers must also post in a conspicuous place a notice detailing such information. The posting can constitute prior notice.

When an employer has reasonable grounds to believe that employees are engaged in conduct which violates the law, the legal rights of the employer, or the legal rights of other employees, or creates a hostile workplace environment, and that electronic monitoring may produce evidence of this misconduct, the employer may conduct monitoring without giving prior written notice.

The Labor Commissioner can impose civil penalties under Conn. Gen. Stat. §31-48d. The maximum civil penalty is $500 for the first offense, $1000 for the second offense, and $3000 for the third and each subsequent offense. There is no private right of action.

6. ONLINE PRIVACY

There is no specific law in Connecticut regarding online privacy and behavioural advertising.

Moreover, there is no specific Connecticut law regarding online privacy and online behavioural advertising involving children's data, but the Privacy and Data Security Department of the AG has enforcement authority over COPPA.

7. UNSOLICITED COMMERCIAL COMMUNICATIONS

§52-570c of Chapter 925 of Title 52 of the Conn. Gen. Stat. prohibits unsolicited advertising material by email unless there is an unsubscribe option and the subject line of the message begins with the letters 'ADV.' This applies to all for-profit businesses if the business does not have an established business relationship with the recipient. 

Any individual aggrieved by a violation of the statute can, within two years of the violation, bring a civil action in Superior Court to enjoin further violations and for $500 per violation with each unsolicited email consisting of a violation, together with costs and a reasonable attorney's fee.

8. PRIVACY POLICIES

There are no specific Connecticut laws regarding privacy policies.

9. DATA DISPOSAL/CYBERSECURITY/DATA SECURITY

Under Public Act No. 21-119 for an Act incentivising the adoption of cybersecurity standards for businesses ('the Safe Harbor Law'), State courts are prohibited from assessing punitive damages in a data breach litigation where the defendant 'created, maintained, and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework'. The cybersecurity program must also be designed to protect:

  • the confidentiality and security of personal and restricted information;
  • against threats or hazards to the security or integrity of such information; and
  • against unauthorised access to and acquisition of information that would result in a material risk of identity theft or other fraud to the individual.

An acceptable cybersecurity program may also be measured by various factors, including the covered entity's:

  • size and complexity;
  • the nature and scope of its activities;
  • the sensitivity of information to be protected; and
  • the cost and availability of tools to improve information security and reduce risks.

The law applies to 'covered entities' which are defined as any business that 'accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside [the] state'. 

'Personal information' follows the same definition as used under the Data Breach Law. However, it is important to note that 'restricted information' is separately defined as 'any information about an individual, other than personal information or publicly available information, that, alone or in combination with other information, including personal information, can be used to distinguish or trace the individual's identity or that is reasonably linked or linkable to an individual, if the information is not encrypted, redacted or altered by any method or technology in such a manner that the information is unreadable, and the breach of which is likely to result in a material risk of identity theft or other fraud to a person or property.'

On 9 February 2022, Senate Bill 6 for An Act Concerning Personal Data Privacy and Online Monitoring was introduced, and later signed into law on 10 May 2022. The Act establishes a framework for controlling and processing personal data, as well as responsibilities and privacy protection standards for data controllers and processors. The Act further grants consumers the right to access, correct, delete, and obtain a copy of personal data and opt out of processing personal data for the purposes of:

  • targeted advertising;
  • certain sales of personal data; or
  • profiling in furtherance of decisions that produce legal or similarly significant effects that concern consumers.

The Act will become effective as of 1 July 2023.

10. OTHER SPECIFIC JURISDICTIONAL REQUIREMENTS

Not applicable.