Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Connecticut amends data security breach provisions

State Issues State Legislation Privacy/Cyber Risk & Data Security Data Breach Consumer Protection

State Issues

On June 16, the Connecticut governor signed H.B. 5310 to establish new data breach notification requirements related to state residents. Among other things, the act updates the definition of “personal information” to also include (i) taxpayer identification numbers; (ii) IRS identity protection personal identification numbers; (iii) passport and military identification numbers, as well as other government-issued identification numbers; (iv) medical information; (v) health insurance policy numbers or other identifiers used by health insurers; (vi) biometric information; and (vii) user names or email addresses combined with passwords or security questions and answers used to access an individual’s online account.

The act also requires businesses to notify residents whose personal information was breached or reasonably believed to have been breached within 60 days instead of 90 days after the discovery of the breach. Should a business identify additional affected residents after 60 days, it is required to provide notice as expediently as possible. Additionally, in the event that a resident’s login credentials are breached, a business may provide notice in electronic form (or another form) that directs the individual to take appropriate measures to protect the affected online account and all other online accounts. Businesses that furnish email accounts are also required to either verify that the affected individual received the data breach notice or provide notification through another method. The act also adds provisions related to compliance with privacy and security standards under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act, and specifies that information provided in response to an investigative demand connected to a data breach will be exempt from public disclosure, but the attorney general may make the information available to third parties in furtherance of the investigation. The act takes effect October 1.