On June 16, Connecticut Gov. Ned Lamont signed House Bill No. 5310, titled "An Act Concerning Data Privacy Breaches" (the act). The act, which goes into effect October 1, amends Conn. Gen. Stat. § 36a-701b, Connecticut's existing breach notification law, and significantly expands the definition of "personal information," in addition to other enhancements described below. Helpfully, the new act deems persons who provide notice to affected Connecticut residents under the Health Information Technology for Economic and Clinical Health (HITECH) Act to be in compliance with the act.
Previously, Connecticut law defined "personal information" as an individual's first name, or first initial and last name, in combination with any one or more of the following data categories:
The act expands Connecticut's definition of "personal information" to align more closely with laws in other states by including the following data categories:
The act shortens the maximum allowable amount of time for breach notification from not later than 90 days to not later than 60 days after the discovery of a breach.
The act clarifies that if additional Connecticut residents impacted by a breach are identified after the 60-day period, they must be notified as "expediently as possible."
One of the most significant changes under the act is the elimination of what some interpreted as an option to defer notification, pending completion of an investigation to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the affected data system.
The act includes additional requirements in the event of a login credential breach. In such event, notice must be provided to the affected Connecticut resident that enables them to:
Under the act, any person who provides notice to affected Connecticut residents in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act does not need to send separate notices to comply with the requirements of the act, so long as such person is in compliance with the HITECH Act's privacy and security standards. If a HITECH Act notice is required, however, then notice must also be provided to the Connecticut Attorney General no later than the time the HITECH Act notice is provided to the affected Connecticut residents.
Under the act, documents, materials and information provided to the Connecticut Attorney General in response to an investigative demand issued in an investigation of a security breach are exempt from public disclosure under subsection (a) of Section 1-210 of Connecticut's Freedom of Information Act, Conn. Gen. Stat. § 1-210 (2013), provided that the Connecticut Attorney General may make such documents, materials and information available to third parties in furtherance of its investigation.
Persons who own, license or maintain the personal information of Connecticut residents should review their existing data breach response protocols, or seek counsel, to ensure compliance with Connecticut's amended breach notification law when it goes into effect October 1.
Day Pitney Data Privacy, Protection and Litigation chair William Roberts authored an op-ed with CBIA's President and CEO Chris DiPentima titled "Here Are Preemptive Measures to Limit a Cyberattack's Damage to Your Business," for the Hartford Business Journal.
Day Pitney Partner Kritika Bharadwaj has been named to the 2024 Lawdragon 100 Leading Global AI & Legal Tech Advisors list. This is the inaugural year for this list.
Day Pitney Healthcare, Life Sciences, and Technology Counsel Damian Privitera's arrival was featured in the Law360 article "Moses & Singer Healthcare Atty Joins Day Pitney in Hartford."
Day Pitney Alert
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – February 2024
Day Pitney Cybersecurity, Healthcare and Technology (C.H.A.T.) Newsletter – February 2024
Day Pitney Data Privacy, Protection and Litigation co-chair William Roberts was featured on Vancord CyberSound podcast "Understanding the Data Privacy Patchwork: What You Need to Know."
Day Pitney Discovery Counsel Ashley Picker Dubin was featured in a Legaltech News Q&A on her new role as Discovery Counsel at the firm.
Copyright © 2024 Day Pitney LLP, all rights reserved.