While the federal government attempts to move forward with a more uniform national law, Connecticut joined California, Colorado, Utah, and Virginia in passing a comprehensive consumer privacy law.

The legislation signed by Connecticut’s governor in May 2022, will take effect on July 1, 2023. However, provisions related to a task force to be convened by the state legislature take effect immediately, and the task force is charged with studying issues including information sharing among health care providers, algorithmic decision-making, and possible legislation regarding children’s privacy.

While businesses consider how to comply with Connecticut’s new privacy law, they should also be taking into account some of the data protection laws already in effect in the state. The following is an overview of just some of the other laws to keep in mind.

Obligation to Safeguard Personal Information and SSNs

Connecticut law already obligates businesses possessing “personal information” to

safeguard the data, computer files, and documents containing the information from misuse by third parties.

See Section 42-471. The term “personal information” under this law means

information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver’s license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number.

This law also requires businesses that collect Social Security numbers (SSNs) to create and publish a policy that (i) protects the confidentiality of SSNs, (ii) prohibits unlawful disclosure of SSNs, and (iii) limit access to SSNs.

Obligation to Destroy Personal Information

The same law discussed above that requires businesses to safeguard personal information, also requires businesses to “destroy, erase or make unreadable such data, computer files and documents prior to disposal.”  For this reason, a record retention policy should address not only how long personal information (and other confidential business information) should be retained, but also a secure process for destroying it once the retention period has expired.

Data Breach Notification Law

When the safeguards contemplated above fail to prevent an unauthorized access or acquisition of computerized personal information (a “breach of security”), Connecticut’s breach notification law is triggered, which was updated and enhanced in 2021 by An Act Concerning Data Privacy Breaches.

Persons that own, license, or maintain computerized personal information and experience a breach of security involving such information may be required to notify affected Connecticut state residents. This law provides a more specific definition of personal information – an individual’s first name or initial and last name in combination with any one or more of the following:

  • Social security number;
  • driver’s license number or state identification card number;
  • financial account number in combination with any required security code, access code, password that would permit access to such financial account;
  • credit or debit card number;
  • individual taxpayer identification number;
  • identity protection personal identification number issued by the IRS;
  • passport number, military identification number, or other identification number issued by the government that is used to verify identity;
  • medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional;
  • health insurance policy number or subscriber identification number, or any unique identifier by a health insurer to identify the individual;
  • biometric information which consists of data generated by electronic measurements of an individual’s unique physical characteristics and used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image; or
  • user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.

In general, notice must be made without unreasonable delay but not later than 60 days after the discovery of a breach, which also must include notice to the State’s Attorney General. However, if, after an appropriate investigation the business reasonably determines that the breach will not likely result in harm to the affected individuals whose personal information has been acquired or accessed, notification is not required. If notification is required, and if the breach involved a resident’s SSN or taxpayer identification number, the business shall offer the resident “appropriate identity theft prevention services” for not less than 24 months.

In the unfortunate event that a business experiences a breach of security potentially affecting Connecticut residents, it will need to carefully consider these and other provisions of the law.

The long and short of the requirements above (which also exist in many other states) is that businesses need a comprehensive written information security program, which includes robust incident response and record retention and destruction plans. If you have questions about developing a privacy and data compliance plan for Connecticut law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

The Consumer Financial Protection Bureau (CFPB) recently issued a legal Advisory in early July 2022, intending to protect the privacy rights of individuals subject to background checks by third-party consumer reporting agencies (CRAs) under the federal Fair Credit Reporting Act (FCRA).  The Advisory also seeks to remind users (e.g., employers) of their obligations under FCRA.

FCRA was initially enacted in 1970, and then significantly amended in 1996, resulting in the technical process employers must follow today when seeking and relying upon information received from a CRA.  For employers, the process starts with, whether the company has a “permissible purpose” for requesting the background check from the CRA.  The CFPB Advisory re-states a well-known FCRA principle: a permissible purpose to obtain a background check relates to credit, employment, and insurance.”  (FCRA Section 604, “Permissible purposes of consumer reports.”)

This legal advisory does not really change the “strict technical compliance” rules under FCRA for companies conducting post-offer background checks for applicants using third-party CRAs.  Nor do the technical rules change for promotions, which also typically fall under an “employment purpose.”  An employer deciding out of curiosity (with no employment purpose) to run a credit check on someone, for example, would not have a “permissible” purpose.

Because the CFPB’s mission is to protect consumer privacy, the Advisory reminds CRAs they cannot provide reports to anyone including an employer that does not have a “permissible” purpose.  The CFPB, for example, wants CRAs to use in certain instances, stronger name-matching techniques to avoid potential violations of Section 604.

To add strength to its Advisory, the CFPB reminds us there is potential criminal liability for obtaining a background check report under false pretenses or providing a background report to an unauthorized individual. There is potential civil liability under FCRA as well.

Key Takeaways for Employers

  • Employers should understand processes, practices, and agreements they have with CRA vendors given the CFPB’s advisory.
  • There are a host of other laws to consider in navigating the background checks process: from state fair credit reporting laws, credit laws, ban the box laws, criminal considerations, and more.
  • FCRA and CFPB’s advisories can impact all types of background checks by CRAs, not just “credit” checks.

Please speak with the Jackson Lewis attorney you regularly work with if you have any questions about the CFPB Advisory or background checks.

Special thanks to Sean King, a Summer Law Clerk for his assistance with this blog.

 

In response to the United States Supreme Court decision in Dobbs vs. Jackson Women’s Health Organization, President Joe Biden signed an Executive Order on Friday, July 8, 2022, designed to protect access to reproductive health care services. In addition to measures seeking to safeguard access to abortion and contraception, the Executive Order includes provisions aimed at protecting the privacy of patients and their access to accurate information, which will likely build on guidance from the Secretary of Health and Human Services issued June 29, 2022, addressing related concerns.

When individuals think about the privacy and security of their health information moving through U.S. health care system, their first stop usually is the complex set of rules under “HIPAA” – referring to the Privacy, Security and related rules under the Health Insurance Portability and Accountability Act of 1996. For nearly 20 years, the HIPAA rules applicable to most healthcare providers and health plans have worked to safeguard “protected health information” or “PHI.” During that time, a debate has raged over the effectiveness of the rules; some arguing the rules are too stringent, others arguing they are not stringent enough, and still others believing HIPAA is just right.

Of course, the protection of medical information does not begin or end with HIPAA. There is a myriad of other federal, state, and local laws that potentially impact the privacy and security of individual identifiable medical information generated in connection with the provision and payment for reproductive health care services. Here, we address the Executive Order and recent OCR guidance. However, organizations must also consider these other laws when making decisions concerning the collection, use, disclosure, retention, and security of such information.

Executive Order.

With regard to protecting the privacy of patients and their access to accurate information, the Executive Order focuses on potential threats to patient privacy caused by (i) the transfer and sale of sensitive health-related data, and (ii) digital surveillance related to reproductive healthcare services. Related measures in the Order call for efforts to protect people seeking reproductive health services from fraudulent schemes or deceptive practices. To these ends, the Order directs:

  • the Secretary of Health and Human Services (HHS) to consider actions, including additional guidance under HIPAA, to strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality. The Secretary also must work with the US Attorney General to consider actions designed to educate consumers on protecting privacy and limiting the collection and sharing of their sensitive health information.
  • the Chair of the Federal Trade Commission (FTC) to consider actions, including under the Federal Trade Commission Act, to protect consumers’ privacy when seeking information about and provision of reproductive healthcare services.
  • the Secretary to consult with the FTC Chair and Attorney General on ways to address deceptive and fraudulent practices related to reproductive healthcare services, including online, and to protect access to accurate information.

It remains to be seen what steps these agencies will take in response to the Executive Order. As noted above and summarized below, the Secretary has already issued guidance concerning patient privacy following Dobbs.

OCR Guidance Regarding Patient Privacy Following Dobbs.

Prior to the President’s Executive Order, the HHS Office for Civil Rights issued post-Dobbs guidance to help protect patients seeking reproductive care. The guidance comes in the form of reminders to providers and patients:

  • Reminder to providers about disclosures to third parties. In short, this guidance reminds HIPAA covered entities and business associates that they can use and disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule. It reiterates some of the HIPAA Privacy Rule’s existing restrictions on disclosures of PHI (i) when required by law, (ii) for law enforcement purposes, and (iii) to avert a serious threat to health or safety. For example, the guidance makes clear that the HIPAA Privacy Rule permits but does not require covered entities to disclose PHI about an individual, without the individual’s authorization, when such disclosure is required by another law and the disclosure complies with the requirements of the other law. Further, the guidance reminds covered entities and business associates that the permission to disclose as “required by law” requires a mandate in the law that compels disclosure which is enforceable in court, explained through the following example:

An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital workforce member suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected. (emphasis added)

The guidance includes a similar analysis when considering law enforcement requests made through legal processes such as court orders or subpoenas.

  • Reminders to patients to protect medical information when using period trackers and other health information apps. In general, PHI accessed or stored on individuals’ personal devices is not protected under the HIPAA rules. The OCR cites recent reports about patients expressing concerns that period trackers and other health information apps threaten privacy by disclosing geolocation data which may be misused by those seeking to deny care.

To help address these concerns, the guidance provides steps to limit how certain devices collect and share health and other personal information without the knowledge of the device’s owner. This includes instructions for turning off location services and best practices for selecting apps, browsers, and search engines. It also provides a list of several resources for protecting privacy when using apps and other electronic products, including from the FTC and Consumer Reports.

 

What all this means for healthcare providers, health plans, and business associates is heightened attention when handling individual identifiable health information related to reproductive health care services, including when it is permissible to disclose HIPAA protected health information, particularly without the authorization of the individual to whom it relates. Such organizations also will need to consider more stringent state law that may provide stronger protections for privacy, while health plans covered by the Employee Retirement Income Security Act will have to assess whether state laws might be preempted by ERISA. These are not easy tasks in a world with growing privacy protections, data breaches, labor shortages, and rapidly advancing technologies.

At the start of June, the California Privacy Protection Agency (CPPA), the agency tasked with implementing and enforcing the California Privacy Rights Act (CPRA) which amended the California Consumer Privacy Act (CCPA), voted to begin the rulemaking process.

On July 8, 2022, the CPPA officially began the formal rule-making process to adopt proposed regulations implementing the CPRA by releasing the notice of proposed rulemaking. The CPPA stated the proposed regulations are intended to: “(1) update existing CCPA regulations to harmonize them with CPRA amendments to the CCPA; (2) operationalize new rights and concepts introduced by the CPRA to provide clarity and specificity to implement the law; and (3) reorganize and consolidate requirements set forth in the law to make the regulations easier to follow and understand.”

The notice also indicates that the CPPA will not be promulgating rules on cybersecurity audits or automated decision-making technology at this time.

A hearing on the proposed regulations is scheduled to occur on August 24 and 25, 2022. Written comments on the proposed regulations must be submitted in advance of the public hearing on August 23, 2022. Comments can be submitted by email to regulations@cppa.ca.gov or by mail to The California Privacy Protection Agency, Attn: Brian Soublet, 2101 Arena Blvd., Sacramento, CA 95834.

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on the CPRA, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

Last month, the Illinois Supreme Court heard oral argument in the closely watched case of Cothron v. White Castle System Inc., and is set to decide when claims under Sections 15(b) and 15(d) of the Illinois Biometric Information Privacy Act accrue.

The court’s forthcoming decision in Cothron is likely to have a significant impact on Illinois employers who are facing BIPA litigation, or who use, or have used, biometric technology in the workplace.

Read Full Article at Law360

Subscription may be required to view article

The federal government has been trying to reach a consensus on data privacy and thus far has failed to pass legislation. On June 3, 2022, a bipartisan draft bill, titled the American Data Privacy and Protection Act was released by the Committee on Energy and Commerce. The bill intends to provide comprehensive data privacy legislation, including the development of a uniform, national data privacy framework and robust set of consumer privacy rights.

A covered entity for purposes of the draft bill is defined as “any entity or person that collects, processes, or transfers covered data” and is subject to the Federal Trade Commission Act, is a common carrier under the Communications Act of 1934, or is an organization not organized to carry on business for their own profit or that of their members.

Per the draft, the new act would be carried out by a new bureau within the Federal Trade Commission (FTC). Interestingly, the proposed legislation would preempt similar state laws, though excludes the CCPA/CPRA in California and the BIPA and the GIPA in Illinois from that preemption.

The draft bill covers a wide swath of data consumer privacy issues from data collection to civil rights and algorithms. The following are some highlights of note:

Data Collection Requirements

The draft legislation imposes a duty on all covered entities not to unnecessarily collect or use covered data with covered data being defined broadly as “information that identifies or is linked or reasonably linkable to an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals, including derived data and unique identifiers”.  The FTC would be charged with issuing additional guidance regarding what is reasonably necessary, proportionate, and limited for purposes of collecting data.

Covered entities would have a duty to implement reasonable policies, practices, and procedures for collecting processing, and transferring covered data. Further, covered entities would be required to provide individuals with privacy policies detailing data processing, transfer, and security activities in a readily available and understandable manner. The policies would need to include contact information, the affiliates of the covered entity that it transfers covered data to, and the purposes of each category of covered data the entitled collects, processes, and transfers.

Covered entities would be prohibited from conditioning or effectively conditioning the provision or termination of services or products to individuals by having individuals waive any privacy rights established under the law.

There would be additional executive responsibility for large data holders, including requiring CEOs and privacy officers to annually certify that their company maintains reasonable internal controls and reporting structures for compliance with the statute.

Individual Rights Created

Individuals would be granted the right to access, correct, delete, and portability of, covered data that pertains to them. These are similar to many of the rights California residents have under the CCPA/CPRA.  The right of access would include obtaining covered data in a human-readable and downloadable format that individuals can understand without expertise, the names of any other entities the data was transferred to, the categories of sources used to collect any covered data and the purposes for transferring the data.

Sensitive covered data, which includes items such as an individual’s health diagnosis, financial account information, biometric information, and government identifiers such as social security information, among other items, is prohibited from data collection without the individual’s affirmative consent.

Civil Rights and Algorithms

Unsurprisingly, algorithms, which were recently addressed by the EEOC and DOJ in guidance are also addressed in this draft legislation. Under the proposed legislation, covered entities may not collect, process, or transfer data in a manner that discriminates based on race, color, religion, national origin, gender, sexual orientation, or disability. This section of the law would require those large data holders that use algorithms to assess their algorithms annually and submit annual impact assessments to the FTC.

While comprehensive national privacy legislation has previously faced difficulties being passed, Jackson Lewis will continue to track the status of this legislation as it moves through Congress. If you have questions about this proposed legislation or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

At the California Privacy Protection Agency (CPPA) Board meeting on June 8, 2022, the board voted to begin the rulemaking process. The Board previously released a 66-page draft of regulations, that are intended to implement and interpret the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). While the draft redline regulations addressed topics such as implementing “easy to understand” language for consumer CCPA requests, the draft does not address all of the 22 regulatory topics required under the CPRA. For example, the draft does not cover the opt-in/opt-out of automated decision-making technology.

The next steps are for the board to file a Notice of Proposed Rulemaking Action, commencing the formal rulemaking process. The notice will be posted on the agency’s website and published in the California Regulatory Notice Register. Once filing opens a public comment period of at least 45 days will start, during which stakeholders and interested parties can submit written comments. The CPPA will also schedule a public hearing on the regulations.

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on the CPRA, please reach out to a member of our Privacy, Data, and Cybersecurity practice group.

On June 8, 2022, the California Privacy Protection Agency (CPPA) Board, will meet to discuss and take potential action regarding a draft of its proposed regulations. The June 8th public meeting includes an agenda item where the CPPA Board will consider “possible action regarding proposed regulations … including possible notice of proposed action.”

In advance of the meeting, the CPPA posted on its website draft redline regulations for discussion purposes on the issue of revising the current regulations released by the California Attorney General (recently renumbered by the CPPA). The quietly released 66-page draft regulations, are intended to implement and interpret the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). While the draft redline regulations address topics such as implementing “easy to understand” language for consumer CCPA requests, the draft does not address all of the 22 regulatory topics required under the CPRA. For example, the draft does not cover the opt-in/opt-out of automated decision making technology.

Here are some of the highlights of the proposed draft regulations:

  • Adds a definition of “disproportionate effort” within the context of responding to a consumer requests. For example, disproportionate effort might be involved when the personal information which is the subject of the request is not in a searchable or readily-accessible format, is maintained only for legal or compliance purposes, is not sold or used for any commercial purpose, and would not impact the consumer in any material manner;
  • Adds a new section on the restrictions on the collection and use of personal information that contains illustrative examples. One example is a business that offers a mobile flashlight app. That business would need the consumer’s explicit consent to collect a consumer geolocation information because that personal information is incompatible with the context in which the personal information is collected in connection with the app;
  • Adds requirements for disclosures and communications to consumers. This includes making sure communications are reasonably accessible to consumers with disabilities whether online or offline;
  • Adds requirements for methods for submitting CCPA requests and obtaining consumer consent. A key principle here is to ensure that the process for consumers to select a more privacy-protective options should not be more difficult or longer than a less protective option. Symmetry is the goal; and
  • Makes substantial revisions to the requirements for the privacy policy that a business is required to provide to consumers detailing the business’s online and offline practices regarding collection, use, sale, sharing, and retention of personal information. This includes new provisions concerning the right to limit the use and disclosure of sensitive personal information and the right to correct personal information.

To date, the Agency has not issued a Notice of Proposed Rulemaking to start the formal rulemaking process, but the timeframe associated with the draft regulations is still unclear – especially when the CPRA requires the CPPA to finalize regulations by July 1, 2022. It is expected that the June 8th meeting will provide details on the process.

Jackson Lewis will continue to track information related to privacy regulations and related issues. For additional information on the CPRA, please reach out to a member of our Privacy, Data, and Cybersecurity practice group

Organizations attacked with ransomware have a bevy of decisions to make, very quickly! One of those decisions is whether to pay the ransom. Earlier this year, I had the honor of contributing to a two-part series, entitled Ransomware: To pay or not to pay? (Part 1 and Part 2). Joined by Danielle Gardiner, CPA, CFF, SVP of Lowers Forensics International, and Shiraz Saeed, VP, Cyber Risk Product Leader at Arch Insurance Group, we explored a range of considerations that organizations need to weigh when making this consequential and potentially decision under very difficult circumstances. A new law in North Carolina makes this decision a lot easier for certain public sector entities in the state – they cannot pay.

North Carolina’s Current Operations Appropriations Act of 2021 added a new article to Chapter 143 of the State’s General Statutes which now reads in part:

No State agency or local government entity shall submit payment or otherwise communicate with an entity that has engaged in a cybersecurity incident on an information technology system by encrypting data and then subsequently offering to decrypt that data in exchange for a ransom payment.

If a state agency or local government entity experiences a “ransom request” in connection with a cybersecurity incident, it must consult with the state’s Department of Information Technology. These rules apply to the following entities:

  • State agency – Any agency, department, institution, board, commission, committee, division, bureau, officer, official, or other entity of the executive, judicial, or legislative branches of State government. The term includes The University of North Carolina and any other entity for which the State has oversight responsibility.
  • Local government entity – A local political subdivision of the State, including, but not limited to, a city, a county, a local school administrative unit as defined in G.S. 115C‑5, or a community college.

Double extortion ransomware attacks raise an interesting issue under this law. These attacks are more sinister because they do not just encrypt the victim’s system and demand payment in exchange for a decryption utility. They also exfiltrate data from the victim’s systems, threatening to disclose it on the dark web unless the attacker is paid ransom in exchange for the “promise” to delete and not disclose the data.

It is unclear if the North Carolina law reaches this second extortion in double extortion ransomware attacks, but its proscription is consistent with the Federal Bureau of Investigation’s position; the FBI does not support paying a ransom in response to a ransomware attack. But when the possibility of payment is on the table, organizations need to know that simply making the payment could put them into legal jeopardy.

As stated in Ransomware: To pay or not to pay? – Part 2:

The primary basis of this legal jeopardy is that under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) U.S. persons engaging in transactions with certain listed organizations can subject those persons to significant penalties. Specifically, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) maintains the Specially Designated Nationals and Blocked Persons List (SDN List), in addition to other blocked persons. A cryptocurrency transaction with one of these entities may result in the victim’s ability to retrieve access to its systems and data, but it could subject the organization to OFAC enforcement.

In its latest round of guidance on this issue, on October 1, 2020, OFAC issued the Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Advisory). The Advisory makes clear that entities involved in facilitating a ransom payment may have done so in violation of OFAC regulations, subjecting them to enforcement action and fines. This risk is heightened by the difficulty of determining who is on the other side of the Bitcoin transaction.

The Advisory highlights these concerns, while also noting that certain pre- and post-breach actions could mitigate OFAC exposure. Implementing “a risk-based compliance program” pre-breach and promptly making a “complete report of a ransomware attack to law enforcement” after an attack can, according to the Advisory, mitigate enforcement.

OFAC compliance may not be the only regulatory hurdle to overcome if momentum is moving in favor of payment. In the summer of 2021, following a string of massive ransomware attacks including the Colonial Pipeline attack referred to above, four states proposed legislation that would ban ransom payments. These efforts were not successful to date, but organizations need to consider regulatory limitations on ransom payments as privacy and cybersecurity laws rapidly evolve.

Ransomware attacks can happen to any organization, large or small. It is critical that organizations not only strengthen their systems to prevent such attacks. They should also strengthen their preparedness should an attack happen. This includes thinking through ahead of time the organization’s approach to the question of whether pay or not to pay ransom.

States continue to tinker with their breach notification laws. The latest modification to the Indiana statute relates to the timing of notification. On March 18, 2022, Indiana Governor Eric Holcomb, signed HB 1351 which tightens the rules for providing timely notice to individuals affected by a data breach.

Prior to the change, the relevant section read:

a person required to make a disclosure or notification under this chapter shall make the disclosure or notification without unreasonable delay

After the change, which is effective July 1, 2022, it reads:

a person required to make a disclosure or notification under this chapter shall make the disclosure or notification without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.

As revised, the statute attempts to make clear the last date by which notification must be provided – not later than 45 days after discovery. But there remains a question about whether notification could be (or should be) provided before that 45-day period ends. After discovery of a breach, a period of delay in notification is permitted if it is reasonable. The current law describes reasonable delay, as follows:

[A] delay is reasonable if the delay is:

(1) necessary to restore the integrity of the computer system;

(2) necessary to discover the scope of the breach; or

(3) in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will:

(A) impede a criminal or civil investigation; or

(B) jeopardize national security.

IC 24-4.9-3-3(a).

This analysis can become significantly more complicated when residents in multiple states are affected by the breach. Although some states have a similar 45-day notification deadline (e.g., Alabama, Maryland, Ohio, and Wisconsin), other states have a shorter periods (e.g., 30 days in Florida) or a longer period (e.g., 60 days in Connecticut). Additionally, in our experience as breach counsel, covered entities with breach reporting obligations can expect heightened attention by the Indiana Attorney General’s Office to investigate perceived delays in notification. This change reflects that focus on timeliness and may become the source of greater enforcement activity in Indiana.