UPDATE: On June 16, Gov. Ned Lamont signed HB 3510 into law which becomes effective October 1, 2021.
State legislatures across the nation are prioritizing privacy and security matters, and Connecticut is no exception. This week, Connecticut Attorney General William Tong announced the passage of An Act Concerning Data Privacy Breaches, a measure that will enhance and strengthen Connecticut’s data breach notification law. The Connecticut House of Representatives unanimously approved the bill on May 27th, and Senate followed with unanimous approval shortly after. The bill now heads to Governor Ned Lamont for signage.
Connecticut has led the nation in data privacy for over a decade, and this legislation ensures that we will continue to do so. Since we passed one of our nation’s first laws protecting consumers from online data breaches, technology and risks have evolved. This legislation ensures that our laws reflect those evolving risks and continue to offer strong, comprehensive protection for Connecticut residents,
Attorney General Tong observed in his announcement of the data breach notification bill.
Key aspects of Connecticut’s enhanced data breach notification law include:
- Expansion of the definition of “personal information.
Originally, Connecticut defined “personal information” as an individual’s first name or first initial and last name in combination with any one, or more, of the following data:
- Social security number
- Driver’s license number
- State identification card number
- Credit or debit card number
- Financial account number in combination with any required security code, access code, or password that would permit access to such financial account.
The new law if enacted will look more like similar laws in California and Florida by including additional data categories:
- Individual taxpayer identification number
- Identity protection personal identification number issued by the IRS
- Passport number, military identification number or other identification number issued by the government that is used to verify identity
- Medical information regarding an individual’s medical history, mental or physical condition or medical treatment or diagnosis by a healthcare professional
- Health insurance policy number or subscriber identification number, or any unique identifier by a health insurer to identify the individual
- Biometric information consisting of data generated by electronic measurements of an individual’s unique physical characteristics and used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image; and
- User name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
- Notification Time and Content.
The new law would shorten the time a business has to notify affected Connecticut residents and the Office of the Attorney General of a data breach time from 90 days to 60 days. Remember, as with most other breach notification mandates, the timing requirement is “without unreasonable delay but not later than 60 days” in this case. In addition, if identification of a resident of the state whose personal information was breached or reasonably believed to have been breached will not be completed within 60 days, the business must provide preliminary substitute notice as outlined by the law, and proceed in good faith to work to identify affected residents and provide direct notice as expediently as possible. Incident response plans would need to be reviewed to ensure this requirement is incorporated.
- Breach of Login Credential.
The new law would add a section addressing unique notification requirements in the case of a breach of login credentials. In such a case, notice to an affected resident may be provided in electronic or other form that directs the resident to promptly change any password or security questions and answers, or to take other appropriate steps to protect the affected online account, or any account with the same login credentials.
- HIPAA and HITECH Act Exception.
Any person subject to and in compliance with HIPAA and/or the HITECH Act privacy and security obligations is deemed in compliance of the new law with a couple of critical exceptions. First, as under New York’s SHIELD Act, a person subject to HIPAA or HITECH that is required to notify Connecticut residents of a data breach under HITECH still must notify Connecticut’s Attorney General at the same time residents are notified. Second, if the person would have been required to provide identity theft prevention and/or mitigation services under Connecticut law, which is for a period of 24 months, that requirement remains.
- Investigation Materials.
Under the new law, documents, material and information connected to the investigation of a breach of security would be exempt from public disclosure, unless required to be made available to third parties by the Attorney General in furtherance of the investigation.
This new law, if signed keeps Connecticut in line with other states across the nation currently enhancing their data breach notification laws in light of recent large-scale data breaches and heightened public awareness. Organizations across the United States should be evaluating and enhancing their data breach prevention and response capabilities.
Below are several resources for understanding current trends in the state data breach notification law landscape:
- Michigan Considers Enhanced Data Breach Notification Law
- Vermont Updates its Data Breach Notification Law
- Washington D.C. Significantly Overhauls its Data Breach Notification Law
- Maryland Again Amends its Data Breach Notification Law
- California Updates its Data Breach Notification Law
- Illinois Enhances Its Data Breach Notification Requirements