Connecticut Amends its Data Breach Notification Law to Enhance Protection and Incentivize Cybersecurity
Authors
David G. Ries , Melissa K. Ventrone
Connecticut has enacted two laws, both effective on Oct. 1, that enhance the protection of personal information and incentivize cybersecurity under its data breach notification law. The first, Public Act No. 21-59, which amends Connecticut’s existing data breach notification law, expands the definition of protected “personal information,” reduces the maximum time for required notifications, and provides for a “safe harbor” for compliance with other breach notice requirements. The other, Public Act No. 21-119, incentivizes the adoption of cybersecurity standards by providing protection against punitive damages for covered persons that comply with listed cybersecurity laws and standards. Although Connecticut was not successful in passing a comprehensive privacy law similar to those passed in California, Colorado, and Virginia, it did make these changes. This is a summary of the two Acts, but readers should review the specific details.
Previously, Connecticut’s definition of “personal information” was limited and included more traditional data elements such as Social Security numbers, driver’s license and state identification numbers, credit or debit card numbers, and a financial account number in combination with information that would permit access to the financial account. Public Act No. 21-59 expands the definition of “personal information” in the existing breach notification law to add information like:
- Medical, health insurance policy, or subscriber information,
- Individual taxpayer identification numbers and personal identification numbers,
- Passport numbers or other government identification numbers,
- Biometric information, and
- User names or email addresses, in combination with a password or security question and answer that would permit access to an online account.
The law continues to provide that required notice must be given “without unreasonable delay,” but reduces the maximum time from 90 days to 60 days. It includes a requirement for notice within 60 days to all potentially impacted individuals if the impacted individuals cannot be identified. Interestingly, the law does permit notice to additional Connecticut residents if they are identified after the 60-day, provided such notice is made as “expediently as possible.”
This Act also provides a “safe harbor” for a covered person “that is subject to and in compliance with the privacy and security standards under” the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). It also provides that any person required to provide notification to Connecticut residents pursuant to HIPAA/HITECH must also provide notice to the Connecticut Attorney General.
Public Law 21-119 incentivizes cybersecurity by providing protection against punitive damages for covered persons that comply with listed cybersecurity laws and standards. The protection is limited because it only covers punitive damages. It applies to a covered entity that has “created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to [a listed] industry-recognized cybersecurity framework.” The list includes specified frameworks published by the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), the ICO/IEC (27000 standards), and the Payment Card Industry (PCI) Security Standards Council; and, where applicable, cybersecurity regulations under HIPAA/HITECH, the Federal Risk Management Program (FedRAMP), or the Gramm-Leach-Bliley Act.
It is important for businesses that own, license, or maintain covered information about Connecticut residents to understand these amendments and to incorporate them into their cybersecurity and privacy policies and incident response plans.
If you have questions about the content of this alert, please contact David Ries (dries@clarkhill.com; 412.394.7787), Melissa Ventrone (mventrone@clarkhill.com; 312.485.0540), or another member of Clark Hill’s Cybersecurity, Data Protection, and Privacy Group.
The views and opinions expressed in the article represent the view of the author and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is intended to be a substitute for professional legal advice.