Connecticut Makes Significant Changes to its Data Breach Statute

Written in collaboration with Nathaly Tamayo, JD.

Late in the legislative session, both the Connecticut House and Senate passed House Bill 5310 (now Public Act 21-59),  An Act Concerning Data Privacy Breaches, which substantially amends Connecticut’s data breach notification statute (CGS §36a-701b).  The statute imposes reporting and notification obligations when there is a security breach of unprotected electronic files that contain personal information. Although the bill implemented a number of revisions, the most notable changes significantly expand the definition of personal information and shorten the notification timeframe. The bill is awaiting the Governor’s signature (update: the Governor signed hours after this was posted).

The following is a brief summary of the changes, which take effect on October 1, 2021:

  • The definition of personal information is vastly expanded to include medical information, a wide variety of government IDs, health insurance policy or identification numbers, biometric data, and online account information (username and password or security question/answer that would permit access). This modification will dramatically increase the number of breaches subject to notification requirements. 
  • The timeframe by which entities must notify the individual and the Office of the Attorney General of a security breach was reduced from ninety (90) days to sixty (60) days.  This is still longer than reporting timeframes in other states and is comparable to current HIPAA notification timeframes.   
  • The “conducting business in the state” requirement was removed, extending notification and reporting obligations to anyone who owns, licenses, or maintains computerized data that includes personal information regardless of whether they do business in Connecticut or not.  Since doing business in this state is no longer an applicability criterion, out-of-state businesses must be mindful of this change.
  • The confusing “consultation with law enforcement” language, which was part of the no likelihood of harm carve-out, was removed. The statute does not require notification if it is reasonably determined that the breach will not likely harm the individuals affected. However, the statutory language made it seem as if law enforcement must have been involved in that determination.  It read: “[s]uch notification shall not be required if, after an appropriate investigation and consultation with relevant federal, state and local agencies responsible for law enforcement …”. Since law enforcement is not actively involved in assessing data breach situations, this language did not make sense.  It’s good to see it go. 
  • Taxpayer-identification number was added to social security number as a type of compromised information requiring two (2) years of identity theft prevention services. 
  • Investigative documents, done in connection with an investigation of a security breach, are exempted from public disclosure under Connecticut’s Freedom of Information Act.
  • There are now special notification rules for breaches involving compromised login credentials and to email providers. 
  • An entity subject to HIPAA that provides notice of a HIPAA breach to a Connecticut resident is deemed to be in compliance with the data breach statute if it also notifies the state Attorney General when the resident is notified and provides identity theft protection services if a Social Security or taxpayer identification number are involved.

Prior to October 1, 2021, organizations should examine closely the expanded definition of personal information.  If it collects any of listed data, it should develop policies to ensure that data breaches are handled in accordance with the new rules.  Due to the time-sensitive nature of the notification requirement, organizations need to know exactly what to do when a breach occurs.  And these days, everyone should anticipate a data breach.