Connecticut

Conn. Gen. Stat. § 36a-701b

S.B. 650 (signed into law June 8, 2005, Public Act 05-148)

Effective January 1, 2006

Application. Any person, business or agency (collectively, Entity) that conducts business in CT, and who, in the ordinary course of such Entity’s business, owns, licenses, or maintains computerized data that includes PI.

The provisions governing maintenance of PI that the Entity does not own appear applicable to any Entity maintaining information on CT residents, whether or not the Entity conducts business in CT.

Security Breach Definition. Unauthorized access to or acquisition of electronic files, media, databases, or computerized data containing PI when access to the PI has not been secured by encryption or by any other method or technology that renders the PI unreadable or unusable.

Notification Obligation. Any Entity to which the statute applies shall disclose any breach of security following the discovery of the breach to any CT resident whose PI was, or is reasonably believed to have been, accessed by an unauthorized person through such breach.

Notification is not required if, after an appropriate investigation and consultation with relevant federal, state, and local agencies responsible for law enforcement, the Entity reasonably determines that the breach will not likely result in harm to the individuals whose PI has been acquired and accessed.

Third-Party Data Notification. If an Entity maintains computerized data that includes PI that the Entity does not own the Entity shall notify the owner or licensee of the information of any breach of the security of the data immediately following its discovery if the PI was, or is reasonably believed to have been, accessed by an unauthorized person.

Timing of Notification. The disclosure shall be made without unreasonable delay, consistent with any measures necessary to determine the nature and scope of the breach, to identify individuals affected, or to restore the reasonable integrity of the data system.

Personal Information Definition. An individual’s first name or first initial and last name in combination with any one or more of the following data elements:

Social Security Number;
Driver license number or CT identification card number; or
Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.

Notice Required. Notice may be provided by one of the following methods:

Written notice;
Telephonic notice; or
Electronic notice, provided it is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).

Substitute Notice Available. If the Entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000 persons, or the Entity does not have sufficient contact information. Substitute notice shall consist of all the following:

Email notice when the Entity has an email address for the affected persons;
Conspicuous posting of the notice on the Web site of the Entity if the Entity maintains one; and
Notification to major statewide media, including newspapers, radio and television.

Exception: Own Notification Policy. Any Entity that maintains its own security breach procedures as part of an information security policy for the treatment of PI and otherwise complies with the timing requirements of the statute shall be deemed to be in compliance with the security breach notification requirements of the statute, provided such Entity notifies subject persons in accordance with its policies in the event of a breach of security.

Exception: Compliance with Other Laws.

Primary Regulator. Notification pursuant to laws, rules, regulations, guidances, or guidelines established by an Entity’s primary or functional state regulator is sufficient for compliance.

Other Key Provisions:

Delay for Law Enforcement. Notice may be delayed for a reasonable period of time if a law enforcement agency determines that the notice will impede a criminal investigation and such law enforcement agency has made a request that notification be delayed. Notice required by the statute must be made after the law enforcement agency determines that notification will no longer impede the investigation and so notifies the Entity of such determination.
AG Enforcement. The AG may seek direct damages and injunctive relief.
Notice to the Insurance Department. Pursuant to Bulletin IC-25 (Aug. 18, 2010), all licensees and registrants of the Connecticut Insurance Department are required to notify the Department of any information security incident which affects any CN residents as soon as the incident is identified, but no later than five calendar days after the incident is identified.