Today, the Connecticut Attorney General’s office announced that it created an online form for data breach reporting. According to the CT AG’s office, “[t]he need for a standardized, online submission form was also motivated by recent amendments to Connecticut’s data breach notification statute.” Those amendments, which took effect on October 1, 2021, include a broadened definition of personal information and a reduced timeframe for notification and reporting from 90 days to 60 days.
The CT AG’s online data breach reporting form is broken into five parts: (1) entity information; (2) contact information; (3) breach details; (4) attachments; and (5) review. The entire form must be completed in one sitting, as there is no option to save your work. Fortunately, the CT AG’s office also offers a PDF version of the form to help filers prepare in advance for filing the report.
The online form is similar in some respects to the Department of Health and Human Services’ (HHS) online HIPAA breach reporting form. This is good news for healthcare providers, other covered entities, and business associates familiar with using HHS’s portal for breach reporting since they may also need to report HIPAA breaches to the CT AG under the expanded definition of personal information. This definition now includes “medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional” as well as health insurance policy or identification numbers. As a result of these changes, more HIPAA breaches will also trigger reporting under CT’s data breach law.
Whether filing a breach report with the CT AG’s office or HHS, the same basic guidelines for drafting a breach report apply. See my blog post on Drafting an Effective Breach Report for details.