ARTICLE
28 July 2021

Connecticut Expands Data Breach Notification Law, Changes Effective October 1, 2021

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore
In addition to recently passing a cybersecurity safe harbor law, Connecticut also updated its data breach notification law.
United States Privacy
Photo of Julia K. Kadish
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

In addition to recently passing a cybersecurity safe harbor law, Connecticut also updated its data breach notification law. Connecticut joins Texas in passing changes to breach notification requirements this year. There are three key changes included in this amendment.

  • Expansion of the definition of "personal information". Falling in line with many other states, the law now broadens "personal information" to also include (i) taxpayer identification number; (ii) IRS identity protection personal identification number, (iii) passport number, military ID or other government ID; (iv) certain medical information; (v) health insurance policy information; (vii) biometric information; and (viii) a user name or email address in combination with a password or security question and answer (regardless of whether or not the individual's name is accessed in combination with it), in addition to the other existing elements.
  • Shortened Notification Requirements. The time businesses have to notify affected Connecticut residents and the Office of the Attorney General of a data breach has been shortened from 90 days to no later than 60 days after discovery of the breach. Further, if notice cannot be made within the new 60-day window, companies are to provide preliminary substitute notice to individuals and follow up with direct notice as soon as possible.
  • HIPAA/HITECH Exemption, Except for AG Notice. If notice is provided to Connecticut residents in compliance with HIPAA and HITECH, then the notice is deemed compliant with Connecticut requirements. However, notice must still be provided to the Connecticut Attorney General (no later than when notice is provided to residents).

Putting it Into Practice: Beginning October 1, companies who suffer a breach impacting Connecticut residents will want to keep in mind these changes. Namely, the expanded definition of personal information and shortened notification timelines.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Julia K. Kadish
Julia K. Kadish
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More