On June 16, Connecticut Gov. Ned Lamont signed House Bill No. 5310, titled "An Act Concerning Data Privacy Breaches" (the act). The act, which goes into effect October 1, amends Conn. Gen. Stat. § 36a-701b, Connecticut's existing breach notification law, and significantly expands the definition of "personal information," in addition to other enhancements described below. Helpfully, the new act deems persons who provide notice to affected Connecticut residents under the Health Information Technology for Economic and Clinical Health (HITECH) Act to be in compliance with the act.
Previously, Connecticut law defined "personal information" as an individual's first name, or first initial and last name, in combination with any one or more of the following data categories:
The act expands Connecticut's definition of "personal information" to align more closely with laws in other states by including the following data categories:
The act shortens the maximum allowable amount of time for breach notification from not later than 90 days to not later than 60 days after the discovery of a breach.
The act clarifies that if additional Connecticut residents impacted by a breach are identified after the 60-day period, they must be notified as "expediently as possible."
One of the most significant changes under the act is the elimination of what some interpreted as an option to defer notification, pending completion of an investigation to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the affected data system.
The act includes additional requirements in the event of a login credential breach. In such event, notice must be provided to the affected Connecticut resident that enables them to:
Under the act, any person who provides notice to affected Connecticut residents in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act does not need to send separate notices to comply with the requirements of the act, so long as such person is in compliance with the HITECH Act's privacy and security standards. If a HITECH Act notice is required, however, then notice must also be provided to the Connecticut Attorney General no later than the time the HITECH Act notice is provided to the affected Connecticut residents.
Under the act, documents, materials and information provided to the Connecticut Attorney General in response to an investigative demand issued in an investigation of a security breach are exempt from public disclosure under subsection (a) of Section 1-210 of Connecticut's Freedom of Information Act, Conn. Gen. Stat. § 1-210 (2013), provided that the Connecticut Attorney General may make such documents, materials and information available to third parties in furtherance of its investigation.
Persons who own, license or maintain the personal information of Connecticut residents should review their existing data breach response protocols, or seek counsel, to ensure compliance with Connecticut's amended breach notification law when it goes into effect October 1.
On May 19, Partner Jonathan Handler moderated a virtual book talk for the Massachusetts Chapter of the Federal Bar Association with Professor Jeff Kosseff, author of The Twenty-Six Words That Created the Internet.
On October 15, Jonathan Zelig served as a panelist on the topic, "Ransomware: Exposures and Opportunities," at the 2020 Massachusetts Insurance and Reinsurance Bar Association's Fall Symposium.
Day Pitney and the Association of Corporate Counsel (ACC) Northeast Chapter co-hosted a virtual roundtable, "Basic Tech and Cyber Competency for In-House Counsel," on September 23.
Day Pitney Counsel Steven Cash will serve as featured panelist for the webinar "Decisional Advantage and Intelligence."
Kermit Wallace was quoted in The American Lawyer article, "Cybersecurity Isn't Just About Outside Threats. It's About Protecting Firms From Themselves."
Kevin Duffy and Naju Lathia were honored at the New Jersey Legal Awards Ceremony on September 23, at the Brooklake Country Club in Florham Park, NJ.
Kermit Wallace was quoted in Hartford Business Journal article, "Hartford area law firms seek more investment in technology, less on office space."
Ariel M. Risinger 's journey as a competitive powerlifter was featured in the Law360 Pulse article, "Day Pitney Attorney Does Her Heavy Lifting At Tournaments. "
Kermit Wallace was quoted in Legaltech News article, "What Pandemic Delay? Law Firms' Tech Roadmaps Back on Track."
Susan Huntington authored a chapter, "Enterprise Risk Approach to Successful Population Management," in the recently published third edition of the "Enterprise Risk Management Handbook for Health Care Entities."