Connecticut recently enacted two pieces of legislation that alter the landscape for data security incident reporting and notification practices in the state. Below is a synopsis of the changes, which become effective October 1, 2021.
First, the state amended its notification law with these notable items added or revised:
- “Personal Information” now includes: (1) taxpayer identification number (“TIN”); (2) any identity protection personal identification card number (provided to individuals by the IRS); (3) an individual’s passport number; (4) a user name or email address used in combination with a password or a security question and answer; and (5) certain specific medical and biometric information.
- Entities that suffer a data security incident now only have 60 days to notify impacted individuals after discovering the incident (as opposed to the prior 90-day window). As a caveat, though, if direct notification cannot be provided within the 60 days, then the amendment requires affected entities to issue a preliminary notice to individuals as a form of substituted notice until direct notice can be provided.
- Where user credentials have been compromised, an impacted entity must notify—through electronic or other means— the individuals whose credentials may have been involved and recommend changing passwords and security/ challenge questions and answers, and taking the same precautionary measures for any other accounts that use the same credentials (i.e., email and password).
- In a move similar to the New York’s SHIELD Act, those who are HIPAA and/or HITECH covered entities—while deemed compliant with Connecticut’s law—must still notify the Attorney General for the State of Connecticut contemporaneously with the individuals impacted by the incident.
- All materials and information provided in response to an investigative inquiry are now considered exempted from public disclosure; however, the Attorney General for the State of Connecticut “may” make these items available to third parties to further the investigation.
Second, Connecticut joins Utah and Ohio with the enactment of “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses.” The new law offers a safe harbor to those entities that create, maintain and comply with a written cybersecurity program. Connecticut is now the third state to enact such an incentive.
This law, similar to Utah and Ohio’s respective laws, provides an affirmative defense to actions in tort that allege a business failed to have reasonable cybersecurity protocols that allegedly caused the data security incident to occur. If businesses formulate a program that would comply with industry frameworks (e.g., NIST or the ISO/IEC) or federal laws (e.g., HIPAA’s Security Rule), their program may qualify for the safe harbor.
What impact will the Connecticut law have on businesses? Certainly those operating in Connecticut will be incentivized to adopt reasonable cybersecurity measures under well recognized frameworks with the hope of preventing an attack, or in the alternative benefit from the safe harbor protection should data breach litigation occur. Will more states adopt Safe Harbor legislation? Time will tell.