Senate Bill 949 is now law in Connecticut, after being signed by Governor Malloy on June 11. As we reported, this law amends the state’s current breach notification mandate to require that for breaches of certain personal information covered business must provide one year of free identity-theft protection for affected persons. So, beginning October 1, 2015, covered companies that experience a data breach affecting a Connecticut resident – one that includes the resident’s name and Social Security number (SSN) – must offer that individual free identity theft prevention services and, if applicable, identity theft mitigation services for at least one year.
Identity Theft Protection Services: Requirements and Implications
As noted, the one-year requirement to provide identity theft protection services applies only when the breach involves a Connecticut resident’s name and SSN. Also, SB 949 requires that if such services have to be provided, the notification to the resident(s) must inform the recipient(s) on how to enroll in the services, and how to place a credit freeze on their credit file. The law also tightens the timeframe for providing all breach notifications (not just those involving free theft protection services). Breach notifications must continue to be made without unreasonable delay, but effective October 1, 2015, may not be made later than ninety days after the discovery of the breach, unless a shorter time is required under federal law.
This new mandate has significant implications for companies that have breaches involving SSNs and affecting individuals in many states including Connecticut. In such cases, the companies might feel compelled to offer identity theft protection services to all affected individuals, even though it may only be required for Connecticut residents. Of course, many businesses provide similar services already, but not in all cases.
In addition, businesses should consider evaluating potential providers of these services ahead of time so they will be ready to move quickly in the event of a breach that triggers this new mandate. Not as clear as the Connecticut requirement, some have read the California breach notification law to have a similar mandate to extend one-year of free identity theft protection services.
Another issue for businesses is determining the scope of services that needs to be offered. A cottage industry of credit monitoring, identity theft protection and remediation services has emerged. Like with most service offerings, some companies provide more extensive and thorough services than others, at varying costs. While SB 949 contains no minimum requirements for the identity theft prevention or mitigation services it requires, companies should consider the different service providers and levels of service in the marketplace to ensure their needs will be met.
As a reminder, during the legislative process for SB 949, Connecticut’s Attorney General, George Jepsen acknowledged that the law would only set “a floor for the duration of the protection” and his office may continue to “seek broader kinds of protection.” In particular, in cases where the breach involves more sensitive personal information, the AG stated he would continue this practice of seeking two years of identity theft prevention or mitigation services, even though the statute requires only one year.