Security Breach Requirements in the State of Connecticut
January 28, 2022 | 4 minutes read
Conn. Gen Stat. §§ 36a-701b, 4e-70 is a data breach notification law that was passed in the U.S. state of Connecticut in 2012. Conn. Gen Stat. §§ 36a-701b, 4e-70 lays out the legal guidelines that agencies, businesses, and organizations within Connecticut are required to follow in the event that such entities are involved in a data breach or security incident that leads to the unauthorized access or disclosure of personal information relating to residents of the state. Furthermore, the law also establishes the various sanctions and penalties that may be imposed against those who fail to abide by the various provisions that are set forth in Conn. Gen Stat. §§ 36a-701b, 4e-70.
How are security breaches defined under Conn. Gen Stat. §§ 36a-701b, 4e-70?
Under Conn. Gen Stat. §§ 36a-701b, 4e-70, a security breach is defined as the “unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.” Alternatively, as it pertains to the scope and application of the law, the provisions of Conn. Gen Stat. §§ 36a-701b, 4e-70 are applicable to “to any individual or business that acquires, owns, licenses, or maintains covered information. Non-commercial entities may be subject to different requirements, and some entities may be exempt from some or all of the requirements.”
What are the requirements of covered entities under Conn. Gen Stat. §§ 36a-701b, 4e-70?
Conn. Gen Stat. §§ 36a-701b, 4e-70 mandates that businesses and organizations within the state of Connecticut provide individuals with data breach notices in the event that said entities experience a security breach during the course of their operations. More specifically, these data breach notices must be provided to individuals as soon as possible and without undue delay, and must also detail the categories of personal information that were compromised as a result of the breach, among other things. Moreover, the law also obliges covered entities to provide “appropriate identity theft prevention and mitigation services at no charge for 12 months or more if Social Security numbers were breached”, as well as information detailing the steps individuals can take to place a freeze on their credit files.
What’s more, covered entities are also responsible for providing a breach notice to the Connecticut Attorney General when they experience a security breach, no later than when citizens of the state have also been notified of such an occurrence. Conversely, as it concerns the methods that covered entities are permitted to utilize when sending data breach notices, the law mandates that all data breach notices be written, made via telephone, or made electronically in a manner consistent with E-sign. Third parties that engage in businesses with covered entities within the state of Connecticut are also required to adhere to this security breach protocol as well.
What categories of personal information are covered under Conn. Gen Stat. §§ 36a-701b, 4e-70?
Under Conn. Gen Stat. §§ 36a-701b, 4e-70, the following categories of personal information are covered under the law, in connection with the first and last name or first initial and last name of a resident within the state of Connecticut:
- Social security numbers.
- Driver’s license numbers and state identification card numbers.
- Financial accounts.
- Credit and debit card numbers, as well as any security or access codes that are needed to access such accounts.
In terms of the penalties that covered entities stand to face should they violate any provisions of the law, Conn. Gen Stat. §§ 36a-701b, 4e-70 is enforced by Connecticut Attorney General. As such, the Connecticut Attorney General has the authority to impose civil penalties against covered entities that are found to be in violation of the law. Additionally, violations of Conn. Gen Stat. §§ 36a-701b, 4e-70 are also “considered an unfair trade practice under 42-110b.” In contrast to many other data breach notification laws that have been passed in the U.S., Conn. Gen Stat. §§ 36a-701b, 4e-70 does not provide citizens of the state of Connecticut with the private right of action as it concerns violations of the law.
Through the passing of Conn. Gen Stat. §§ 36a-701b, 4e-70, citizens of the state of Connecticut were provided with legal protection in the event that their personal information is improperly accessed or disclosed as a result of a data breach. Although the provisions of the law are relatively mild when compared to those of other states, the law does ensure that residents within Connecticut have the means to seek justice in the event that their personal information is involved in a data breach, particularly if said involvement leads to adverse consequences for the individuals concerned.