Connecticut’s legislators have approved a data privacy measure intended to update and fortify the state’s existing breach notification statute.
MSSPs and cybersecurity firms that work with Connecticut-based customers and data that involves Connecticut residents may want to take note: The new The Act Concerning Data Privacy Breaches broadens the definition of personal information contained in an earlier law dating to 2005 to include medical information, online account information, passport numbers, military identification and health insurance account numbers.
More Details: Connecticut Data Privacy Breach Law
The bill, which carries overtones of California’s Consumer Privacy Act, also shortens the outside limit to which entities must notify individuals and the Office of the Attorney General of a security breach. Any person or entity collecting personal data by conducting business in the state must notify any resident of the state whose data may have been breached within 60 days of the incident.
Connecticut’s Attorney General (AG) must also be advised of the breach. The compromised business is also required to offer affected individuals identity theft prevention and identity theft mitigation services free of charge for two years. Should a business fail to comply with the Act’s requirements, Connecticut’s AG can charge and prosecute them for unfair trade practices.
The state Senate unanimously approved the legislation on June 5, 2021. The House had unanimously approved the legislation on May 27. The bill now heads to Governor Ned Lamont for his signature.
Attorney General William Tong, who advocated for the bill, praised its final passage by the state’s lawmakers. “Connecticut has led the nation in data privacy for over a decade, and this legislation ensures that we will continue to do so,” said Tong in a statement. “Since we passed one of our nation’s first laws protecting consumers from online data breaches, technology and risks have evolved. This legislation ensures that our laws reflect those evolving risks and continue to offer strong, comprehensive protection for Connecticut residents,” he said.
Connecticut Cybersecurity Legislation: Earlier Milestones
In May 2018, Connecticut affirmed the Cybersecurity Action Plan calling for better security, deeper collaboration and more security pros on the job. The 41-page document contained requirements and recommendations to fortify cybersecurity planning and policy in the state. One month later, cyber crooks pilfered roughly $1.4 million from 21 account holders at the Connecticut Higher Education Trust. More than $442,000 was subsequently recovered or the transfers stopped.