Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Connecticut: Updated data breach law

Connecticut's state law on data breaches is set for an update, bringing it more in line with modern legal standards in this regard. William J. Roberts, Partner at Day Pitney LLP, discusses the updates to Connecticut's legal framework and their impact. 

DenisTangneyJr / Signature collection / istockphoto.com

As any privacy professional knows, nothing stays the same for very long in the world of data privacy standards, expectations, and legal requirements. Back in 2005, Connecticut was among the first states in the nation to pass a consumer data breach law and has periodically updated that law to, among other things, require businesses and organisations suffering a breach to provide 24 months of credit monitoring services to affected Connecticut residents. However, despite these changes, Connecticut's data breach law has generally failed to keep pace with the rapid changes in the legal landscape, with its generous reporting time frames and narrow definition of personal information. Particularly when viewed in light of the 72 hour breach reporting requirement in the General Data Protection Regulation (Regulation (EU) 2016/679), Connecticut's 90 day outer limit for breach reporting seemed downright antiquated.

This reality was not lost on the privacy professionals in the Connecticut Attorney General's ('AG') office, who routinely lead various national data privacy enforcement actions, and the state legislature responded with key updates to the law. As discussed below in more detail, Connecticut's recent 'An Act Concerning Data Privacy Breaches' ('the Act') (signed by Governor Ned Lamont on 16 June 2021) (a) broadens the application of Connecticut's data breach law, (b) expands the definition of personal information, (c) shortens the outer limit for reporting breaches from 90 days to 60 days, (d) includes a new notice option for breaches of login credentials, and (e) includes a Health Insurance Portability and Accountability Act of 1996 ('HIPAA') exemption and a Freedom of Information Act of 1996 ('FOIA') exemption. Each of these changes will be effective 1 October 2021 and brings Connecticut law more in line with the laws of other states.

Broadened application

Apparently as an attempt to make entities that hold or possess the personal information of Connecticut residents, but which do not conduct business in the state (e.g. own property, file taxes), subject to Connecticut's data breach reporting laws, the Act removes the qualifier that the breach reporting obligations apply only to a business or organisation that 'conducts business in' Connecticut. While it is highly likely that questions regarding extraterritorial scope will be raised, this revision plainly means that the AG wants to know about your data breach - even if you have never had any dealings in the state or never stepped foot in it.

Expanding the definition of personal information

Under current Connecticut data breach law, 'personal information' is defined as 'an individual's first name or first initial and last name in combination with anyone, or more, of the following data: (A) Social Security number; (B) driver's license number or state identification card number; (C) credit or debit card number; or (D) financial account number in combination with any required security code, access code or password that would permit access to such financial account.' As is usually the case, Connecticut's definition of 'personal information' exempts 'publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.' While in many ways groundbreaking when this law was first passed, Connecticut's definition has quickly become among the nation's most narrow and limited.

Taking a cue from other states that have breach reporting obligations applicable to a wide range of data categories, Connecticut's definition of 'personal information' will soon include the following additional categories of information:

  • taxpayer identification number;
  • identity protection personal identification number issued by the Internal Revenue Service;
  • passport number;
  • military identification number;
  • other identification number issued by the government that is commonly used to verify identity;
  • medical information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional;
  • health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual;
  • biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina, or iris image; and
  • user name or email address, in combination with a password or security question and answer that would permit access to an online account.

Shortening the time period for reporting breaches

As noted above, current Connecticut breach law requires a business or organisation suffering a breach to report the breach 'without unreasonable delay but not later than ninety days after the discovery of such breach.' The Act makes three important changes to this requirement:

  • shortens the outer limit for the reporting of breaches from 90 days to 60 days;
  • to the relief of both businesses and law enforcement, the Act removes the requirement to consult with law enforcement when determining that no notice is required because the breach will not likely result in harm to the individuals whose personal information has been acquired or accessed;
  • requires businesses and organisations subject to the breach to 'proceed in good faith' to notify additional residents whose personal information was breached, or reasonably believed to have been breached, 'as expediently as possible' following the initial 60 days after discovery of the breach (i.e. the law imposes a duty upon businesses and organisations to continue the breach investigation and notification process beyond the 60 days following the discovery of the breach, as necessary).

Special method of breach notification for login credential breaches

Under current law, Connecticut provides that a business or organisation suffering a reportable data breach must notify affected Connecticut residents using one of four methods: (1) written notice; (2) telephone notice; (3) electronic notice; or (4) substitute notice, if the business or organisation can demonstrate that: (a) the cost of providing notice in accordance with (1) through (3) above would exceed $250,000, (b) more than 500,000 persons need to be notified, or (c) the business or organisation does not have sufficient contact information. The Act adds a fifth, limited option to this list.

With respect to a breach of login credentials, notice to a resident may be provided in electronic or other form that directs the resident to promptly change any password or security question and answer, as applicable, or to take other appropriate steps to protect the affected online account and all other online accounts for which the resident uses the same user name or email address and password or security question and answer. However, if the business or organisation suffering the breach furnishes an email account, the business or organisation may not use this new notice option by providing notification to the email account that was breached or reasonably believed to have been breached if the business or organisation cannot reasonably verify the affected resident's receipt of such notification. In such case, the business or organisation must provide notice by another method described above or by a clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an IP address or online location from which the business or organisation knows the resident customarily accesses the account. Presumably, this alternative notice may take the form of a 'pop-up,' a banner, or a prominent item on a website.

HIPAA exemption

Complying with potentially dozens of federal, state, and international data breach reporting laws for a single incident can be difficult for even the most prepared business, and like in many states, Connecticut seeks to reduce this burden somewhat by including a limited exemption for those entities that are subject to HIPAA and which report a breach in compliance with HIPAA. Note though, that in order to qualify for this exemption, a business required to provide notice pursuant to HIPAA's Breach Notification Rule must also provide notice to the AG 'not later than the time when notice is provided to such residents if notification to the AG would otherwise be required' by Connecticut law and provide identity theft prevention and mitigation services as required by Connecticut law (if applicable).

FOIA exemption

It has long been a concern of data privacy attorneys, cybersecurity experts, and business leaders that responding to information requests from state attorneys general and other data privacy regulators may expose a business or organisation to data security risks. Simply put, the more cybersecurity information a regulator requests, and the more cybersecurity information a business produces in response to such requests, the greater the likelihood that such confidential and sensitive information would end up in the wrong hands (either through a breach suffered by the requesting government agency or through FOIA requests), thereby amplifying a business's or organisation's cyber risk exposure. While this law does not help us sleep better regarding the implications of a government regulator being breached, it does include a very welcome explicit exemption for FOIA disclosures.

Pursuant to the Act, '[a]ll documents, materials and information provided in response to an investigative demand issued pursuant to' Connecticut’s data breach law in connection with a data breach investigation 'shall be exempt from public disclosure under' Connecticut's state Freedom of Information Act. However, while this is certainly welcome news to the data privacy and cybersecurity communities, the AG retains the right to 'make such documents, materials or information available to third parties in furtherance of such investigation' and it remains uncertain if the FOIA exemption would stay with the documents and materials upon disclosure or if protections from FOIA will be broken upon receipt by another government agency.

Closing thoughts

The changes made to Connecticut's breach law, for the most part, bring Connecticut more into the national mainstream for breach reporting. And other changes, particularly the exemptions, will hopefully make the law more business-friendly. Businesses and organisations should take the following steps to ensure compliance:

  • update breach response plans and protocols with the new time 60-day time period requirement;
  • consider if the new login credential breach method will affect your business or organisation and plan for how you would implement such a notice process; and
  • for entities located outside of Connecticut which do not do business in the state, re-examine whether you will now need to report breaches to Connecticut residents and the AG.

William J. Roberts Partner
[email protected]
Day Pitney LLP, Hartford

Feedback