Connecticut Expands Data Breach Notification Law, Changes Effective October 1, 2021

Sheppard Mullin Richter & Hampton LLP
Contact

Sheppard Mullin Richter & Hampton LLP

In addition to recently passing a cybersecurity safe harbor law, Connecticut also updated its data breach notification law. Connecticut joins Texas in passing changes to breach notification requirements this year. There are three key changes included in this amendment.

  • Expansion of the definition of “personal information”. Falling in line with many other states, the law now broadens “personal information” to also include (i) taxpayer identification number; (ii) IRS identity protection personal identification number, (iii) passport number, military ID or other government ID; (iv) certain medical information; (v) health insurance policy information; (vii) biometric information; and (viii) a user name or email address in combination with a password or security question and answer (regardless of whether or not the individual’s name is accessed in combination with it), in addition to the other existing elements.
  • Shortened Notification Requirements. The time businesses have to notify affected Connecticut residents and the Office of the Attorney General of a data breach has been shortened from 90 days to no later than 60 days after discovery of the breach. Further, if notice cannot be made within the new 60-day window, companies are to provide preliminary substitute notice to individuals and follow up with direct notice as soon as possible.
  • HIPAA/HITECH Exemption, Except for AG Notice. If notice is provided to Connecticut residents in compliance with HIPAA and HITECH, then the notice is deemed compliant with Connecticut requirements. However, notice must still be provided to the Connecticut Attorney General (no later than when notice is provided to residents).

Putting it Into Practice: Beginning October 1, companies who suffer a breach impacting Connecticut residents will want to keep in mind these changes. Namely, the expanded definition of personal information and shortened notification timelines.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Sheppard Mullin Richter & Hampton LLP

Written by:

Sheppard Mullin Richter & Hampton LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide