Connecticut Attorney General George Jepsen announced on September 14, 2011, the creation of a Privacy Task Force to help educate the public about data protection requirements and to focus his Office’s response to Internet privacy concerns and data breaches that affect consumers. According to Attorney General Jepsen’s press release, “Internet and data privacy have been among the biggest issues affecting the broad public interest during my first eight months in office” and nearly a dozen investigations have been initiated or pursued regarding security breaches that resulted in the loss of medical and insurance records or personal customer information.
Like nearly all states across the country, Connecticut has a data breach notification law. The State’s Insurance Commissioner has also adopted rules concerning data breach notification requirements for its licensees. Among other laws, the Nutmeg state has also enacted specific protections for Social Security Numbers, employment applications, and personal information, which includes:
information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.
The Task Force will be responsible for all investigations of consumer privacy breaches, which we are assuming will apply to breaches of any personal information for which notification is required, including patients and employees. The Task Force will also help to educate the public and business community about their responsibilities, which include protecting personally sensitive data and promptly notifying affected individuals when breaches do occur.
Clearly a sign of increased attention to and enforcement of the state’s data security and consumer protection mandates, Connecticut businesses and businesses maintaining personal information of Connecticut residents should revisit their information security programs and data breach response plans to ensure they could withstand the scrutiny of an inquiry by the Attorney General’s office.