Security Breach Requirements in the State of Connecticut

January 28, 2022 | 4 minutes read
Security Breach Requirements in the State of Connecticut

Conn. Gen Stat. §§ 36a-701b, 4e-70 is a data breach notification law that was passed in the U.S. state of Connecticut in 2012. Conn. Gen Stat. §§ 36a-701b, 4e-70 lays out the legal guidelines that agencies, businesses, and organizations within Connecticut are required to follow in the event that such entities are involved in a data breach or security incident that leads to the unauthorized access or disclosure of personal information relating to residents of the state. Furthermore, the law also establishes the various sanctions and penalties that may be imposed against those who fail to abide by the various provisions that are set forth in Conn. Gen Stat. §§ 36a-701b, 4e-70.

How are security breaches defined under Conn. Gen Stat. §§ 36a-701b, 4e-70?

Under Conn. Gen Stat. §§ 36a-701b, 4e-70, a security breach is defined as the “unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.” Alternatively, as it pertains to the scope and application of the law, the provisions of Conn. Gen Stat. §§ 36a-701b, 4e-70 are applicable to “to any individual or business that acquires, owns, licenses, or maintains covered information. Non-commercial entities may be subject to different requirements, and some entities may be exempt from some or all of the requirements.”

What are the requirements of covered entities under Conn. Gen Stat. §§ 36a-701b, 4e-70?

Conn. Gen Stat. §§ 36a-701b, 4e-70 mandates that businesses and organizations within the state of Connecticut provide individuals with data breach notices in the event that said entities experience a security breach during the course of their operations. More specifically, these data breach notices must be provided to individuals as soon as possible and without undue delay, and must also detail the categories of personal information that were compromised as a result of the breach, among other things. Moreover, the law also obliges covered entities to provide “appropriate identity theft prevention and mitigation services at no charge for 12 months or more if Social Security numbers were breached”, as well as information detailing the steps individuals can take to place a freeze on their credit files.

What’s more, covered entities are also responsible for providing a breach notice to the Connecticut Attorney General when they experience a security breach, no later than when citizens of the state have also been notified of such an occurrence. Conversely, as it concerns the methods that covered entities are permitted to utilize when sending data breach notices, the law mandates that all data breach notices be written, made via telephone, or made electronically in a manner consistent with E-sign. Third parties that engage in businesses with covered entities within the state of Connecticut are also required to adhere to this security breach protocol as well.

What categories of personal information are covered under Conn. Gen Stat. §§ 36a-701b, 4e-70?

Under Conn. Gen Stat. §§ 36a-701b, 4e-70, the following categories of personal information are covered under the law, in connection with the first and last name or first initial and last name of a resident within the state of Connecticut:

In terms of the penalties that covered entities stand to face should they violate any provisions of the law, Conn. Gen Stat. §§ 36a-701b, 4e-70 is enforced by Connecticut Attorney General. As such, the Connecticut Attorney General has the authority to impose civil penalties against covered entities that are found to be in violation of the law. Additionally, violations of Conn. Gen Stat. §§ 36a-701b, 4e-70 are also “considered an unfair trade practice under 42-110b.” In contrast to many other data breach notification laws that have been passed in the U.S., Conn. Gen Stat. §§ 36a-701b, 4e-70 does not provide citizens of the state of Connecticut with the private right of action as it concerns violations of the law.

Through the passing of Conn. Gen Stat. §§ 36a-701b, 4e-70, citizens of the state of Connecticut were provided with legal protection in the event that their personal information is improperly accessed or disclosed as a result of a data breach. Although the provisions of the law are relatively mild when compared to those of other states, the law does ensure that residents within Connecticut have the means to seek justice in the event that their personal information is involved in a data breach, particularly if said involvement leads to adverse consequences for the individuals concerned.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »