Connecticut Enhances Data Breach Notification Law
On June 16, Connecticut Gov. Ned Lamont signed House Bill No. 5310, titled "An Act Concerning Data Privacy Breaches" (the act). The act, which goes into effect October 1, amends Conn. Gen. Stat. § 36a-701b, Connecticut's existing breach notification law, and significantly expands the definition of "personal information," in addition to other enhancements described below. Helpfully, the new act deems persons who provide notice to affected Connecticut residents under the Health Information Technology for Economic and Clinical Health (HITECH) Act to be in compliance with the act.
Definition of Personal Information Expanded
Previously, Connecticut law defined "personal information" as an individual's first name, or first initial and last name, in combination with any one or more of the following data categories:
- Social Security number
- Driver's license number
- State identification card number
- Credit or debit card number
- Financial account number, in combination with any required security code, access code or password that would permit access to such financial account
The act expands Connecticut's definition of "personal information" to align more closely with laws in other states by including the following data categories:
- Individual taxpayer identification number (e.g., Social Security number)
- Identity protection personal identification number issued by the IRS
- Passport number, military identification number or other identification number issued by the government that is used to verify identity
- Medical information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
- Health insurance policy number or subscriber identification number, or any other unique identifier, issued by a health insurer to identify the individual
- Biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics and used to authenticate or ascertain the individual's identity, such as a fingerprint, voiceprint, or retina or iris image
- User name or email address, in combination with a password or with a security question and answer that would permit access to an online account
Timing for Required Notification Reduced
The act shortens the maximum allowable amount of time for breach notification from not later than 90 days to not later than 60 days after the discovery of a breach.
The act clarifies that if additional Connecticut residents impacted by a breach are identified after the 60-day period, they must be notified as "expediently as possible."
One of the most significant changes under the act is the elimination of what some interpreted as an option to defer notification, pending completion of an investigation to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the affected data system.
Additional Requirements for Login Credential Breach and Notification
The act includes additional requirements in the event of a login credential breach. In such event, notice must be provided to the affected Connecticut resident that enables them to:
- promptly change their password and/or security question and answer; or
- take other steps to secure the affected account and all other accounts for which they use the same e-mail and password or the same security question and answer.
HIPAA and HITECH Act Exemptions
Under the act, any person who provides notice to affected Connecticut residents in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act does not need to send separate notices to comply with the requirements of the act, so long as such person is in compliance with the HITECH Act's privacy and security standards. If a HITECH Act notice is required, however, then notice must also be provided to the Connecticut Attorney General no later than the time the HITECH Act notice is provided to the affected Connecticut residents.
Investigation Materials Exempt From Public Disclosure
Under the act, documents, materials and information provided to the Connecticut Attorney General in response to an investigative demand issued in an investigation of a security breach are exempt from public disclosure under subsection (a) of Section 1-210 of Connecticut's Freedom of Information Act, Conn. Gen. Stat. § 1-210 (2013), provided that the Connecticut Attorney General may make such documents, materials and information available to third parties in furtherance of its investigation.
Conclusion
Persons who own, license or maintain the personal information of Connecticut residents should review their existing data breach response protocols, or seek counsel, to ensure compliance with Connecticut's amended breach notification law when it goes into effect October 1.
Recommended
Day Pitney Intellectual Property Partner Brooke Penrose's arrival to the firm's Boston office was featured in Bloomberg Law.
Day Pitney Technology Counsel Laura Land Himelstein's arrival to the firm was featured in the Law360 article, "In-House Tech Atty Returns to Private Practice at Day Pitney." She has joined Day Pitney in both the technology, telecommunications and outsourcing and the data privacy, protection and litigation practice groups, based in the firm's New York and Stamford offices.
Day Pitney Technology Counsel Laura Land Himelstein's arrival to the firm was featured in Connecticut Law Tribune's Connecticut Movers column. She has joined Day Pitney in both the technology, telecommunications and outsourcing and the data privacy, protection and litigation practice groups, based in the firm's New York and Stamford offices.
Day Pitney Press Release
Day Pitney Press Release
Day Pitney Litigation Partner Naju Lathia was featured in the article, "NJ, Attys Brace For Tech 'Evolution' in Litigation."
Day Pitney is proud to announce that two of our Connecticut-based attorneys and our Litigation department have been recognized by the Connecticut Law Tribune as part of their second annual New England Legal Awards. According to the publication, the awards recognize exceptional attorneys and firms from Connecticut, Maine, Vermont, New Hampshire, Massachusetts and Rhode Island across various legal domains.
Day Pitney Data Privacy, Protection and Litigation practice co-chair William Roberts authored the article "A Privacy Plan For Your Family Office" for Family Wealth Report's Post Summit Report: Family Office Cybersecurity and AI Summit. Roberts was a speaker at the June 4 event.
Day Pitney Litigation Counsel Ashley Picker Dubin has been named to the 2024 Lawdragon 500 X – The Next Generation list.
Day Pitney Data Privacy Associate Stephanie M. Gomes-Ganhão authored the article "A Review of Part 2: Consider a More Flexible Compliance Program in the Wake of the Revised Rules," for the Journal of Health Care Compliance.