Connecticut Data Breach Notification Law: What to Know
Looking to understand Connecticut’s data breach notification law? We’ve got you covered.
IBM’s latest report shows that roughly 8 in 10 organizations suffered more than one data breach in 2022. The bottom line? Virtually every business today is vulnerable to data breaches.
For this reason, governments all over the world have developed laws to reduce threats to consumers when breaches do occur. And Connecticut is no exception.
This article will walk you through Connecticut’s data breach notification law, including how long you have to report a breach, the requirements of a valid breach report, penalties for non-compliance, and much more.
Let’s get into it.
- Connecticut’s data breach notification law builds upon key principles established by the Connecticut Data Privacy Act (CTDPA).
- Under Connecticut’s law, businesses who suffer data breaches must notify affected consumers and the state authority without unreasonable delay at most 60 days of discovering the breach.
- Failing to comply with Connecticut’s data breach notification law triggers civil penalties of $5,000 for each violation and can lead to other consequences from Connecticut’s Attorney General.
Connecticut Data Privacy Act Explained
The Connecticut Data Privacy Act (CTDPA) is a robust data privacy law that protects the online privacy and personal data of Connecticut residents. It was signed into law on May 10, 2022, and went into effect on July 1, 2023.
The CTDPA is notably inspired by other well-known data privacy regulations, including the EU’s GDPR, California’s CPRA, and Virginia’s CDPA. Like these laws, Connecticut’s law aims to make its residents’ personal data safe and secure while giving them as much control as possible.
To this end, the CTDPA requires businesses to help consumers exercise several privacy rights, including the right to:
- Access their personal data
- Request deletion of their personal data
- Correct inaccuracies in their personal data
- Opt out of the sale of their data, targeted advertising, and profiling
- Obtain a copy of their data in a portable and readily usable format
So, who exactly does this law affect? The CTDPA applies to you if you do business in Connecticut, target its residents with your products or services, and in the previous year, either:
- Handle the personal data of 100,000 or more consumers (excluding data processed solely to complete payments) or
- Handle the personal data of 25,000 or more consumers and derive over 25% of your gross revenue from selling their data
To comply with the CTDPA, businesses must provide transparent privacy policies, obtain consent for specific data processing, and submit prompt notifications if a data breach occurs (among other requirements).
Important Definitions Under Connecticut’s Data Breach Notification Law
To fully grasp the scope and requirements of Connecticut’s data breach notification law, it’s important to understand how the law defines specific terms.
Under Connecticut’s law, a data breach is an unauthorized access or acquisition of electronic files, databases, or computerized information that holds personal data.
Note that personal data here isn't protected by encryption or similar safeguards to make it unreadable or unusable.
In practice, examples of data breaches include but aren’t limited to:
- Phishing attack
- Malware infection
- Lost or stolen laptop or mobile device
- Accidental disclosure of personal data to unauthorized individuals
Connecticut’s law defines personal data as any first name or first initial and last name in combination with at least one of the following:
- Social security numbers
- Tax identification numbers
- Credit or debit card numbers
- Identity protection PIN issued by the IRS
- Biometric information such as fingerprints for identity verification
- Driver's license, passport numbers, or other government-issued ID numbers
- Financial account numbers, alongside passwords or other security codes for access
- Username or email address, alongside a password or other means to access an online account
- Health insurance policy numbers or unique identifiers used by insurers to recognize individuals
- Medical information involving an individual's health history or treatment by healthcare professionals
Under Connecticut’s law, notification means informing affected individuals or authorities about a data breach. A valid notice must include key details about the breach and guidance for affected parties.
For instance, the following scenarios count as notification:
- Filling out a form to notify state authorities about a breach and details of the incident.
- Sending an email to affected customers informing them about a cyber-attack and steps they can take to protect themselves.
Connecticut Data Breach Notification Law Timeline
If you experience a data breach, swift action is critical to maintain compliance and protect your consumers.
Under Connecticut’s law, you must notify affected consumers without unreasonable delay and within a maximum of sixty (60) days after discovering the breach.
Additionally, you must report the data breach to the Connecticut Office of the Attorney General as soon as you’ve notified consumers. In other words, you'll need to synchronize the timing of your notifications to both consumers and the Attorney General.
Connecticut Data Breach Notification Requirements
Data breaches can be overwhelming. Even worse is when you fail to act quickly, do some damage control, and follow legal guidelines to the letter.
To help you avoid penalties, we’ve broken down Connecticut’s data breach notification requirements into a three-part question below:
What should a compliant data breach notification report contain?
Under Connecticut’s law, your data breach notification must, at minimum, include the following details:
- A description of the breach, including the date of discovery, the nature and scope of the breach, and the types of personal data that were affected
- The steps affected consumers can take to protect themselves, such as changing their passwords and monitoring their credit reports.
- A dedicated contact point for affected consumers to send questions related to the breach
How can you submit data breach notification reports?
You must notify affected consumers and the Attorney General using a secure communication method guaranteed to reach them.
For consumers, valid notification mediums include:
- Written notice (e.g., via direct mail)
- Electronic notice (e.g., email messages)
- Telephone notice (texts and calls)
- Substitute notice
For the Office of the Attorney General, a simple online form has been released for data breach submissions. After submitting your report, you'll receive a confirmation email and a filling summary.
In a subsequent email, you'll receive a unique case number as a reference for future communications related to the breach. All case numbers begin with "PR," followed by seven digits (e.g., PR7654321).
What else is required?
According to Connecticut’s law, if a consumer’s social security or taxpayer ID number is compromised in a breach, you must offer them two (2) years of identity theft prevention or mitigation services for free.
You must also explain how consumers can enroll in these services and place a credit freeze on their file. This way, consumers with compromised sensitive personal information receive the necessary support and guidance to protect themselves effectively.
Exceptions to Connecticut Data Breach Notification Law
Connecticut’s law sets out specific instances where you don't have to submit a data breach report or where the 60-day deadline for submissions can be extended.
Let's briefly go over them:
In short, you don't have to notify affected consumers of a data breach if—after a careful investigation—you determine that the data breach is unlikely to cause any harm to consumers.
Encrypted or secured data
You don't have to submit a data breach report if the personal data in question was encrypted to make it unreadable or unusable and the encryption key wasn't compromised during the breach.
Similarly, you’re exempt if the exposed data is completely secure through a different protection measure besides encryption.
Law enforcement delay request
If a law enforcement agency determines that your notification will hinder a criminal investigation and requests a delay, you can exceed the 60-day timeframe for data breach notifications.
Pre-existing data breach response plan
Suppose your business already maintains a data breach response plan as part of your cybersecurity policy, and you promptly notify affected consumers within the legal timeframe.
In that case, no further action is required on your part since your policy already complies with Connecticut's data breach requirements.
HIPAA and HITECH compliance
If your business complies with HIPAA and HITECH regulations, you’re already halfway compliant with Connecticut's data breach law.
All you need to do is:
- Notify the Connecticut Attorney General of data breaches at the same time as affected consumers
- Offer free identity theft protection services to consumers whose social security or taxpayer ID number was compromised.
Steps to Mitigate Risks of Data Breaches
When it comes to data breaches, the old saying rings true: "prevention is better than cure."
Here's our list of best practices to enhance your data security posture and reduce the risk of experiencing data breaches:
- Encrypt data: Using encryption to protect your personal and sensitive information makes it worthless to cybercriminals even if a data breach occurs. That is as long as the encryption key remains secure.
- Establish access controls: Limiting data access to authorized personnel on your team significantly reduces the chance of data falling into the wrong hands.
- Regularly update software: It sounds obvious, but keeping your systems and software up-to-date helps patch security vulnerabilities and reduce the risk of breaches.
- Perform employee training: Your team needs to understand the ins and outs of your data security protocols to reduce human errors. Conduct comprehensive compliance training to achieve this.
- Conduct regular assessments: Frequent data risk assessments help pinpoint and address vulnerabilities in your data security measures.
- Partner with Captain Compliance: Last but not least, outsourcing your compliance to a top-tier compliance solution like Captain Compliance reduces the risk of faulty implementation—a significant compliance issue.
Penalties for Non-Compliance with Connecticut Data Breach Notification Law
Non-compliance with Connecticut’s law attracts civil penalties of up to $5,000 per violation under the Connecticut Unfair Trade Practices Act.
In other words, for each case where your business fails to comply with the data breach notification law, you may incur financial penalties.
Think of how quickly that can add up. For instance, failing to send timely breach notifications to 50 consumers means a fine of $250,000.
But it doesn't stop there.
Connecticut’s Attorney General can impose additional penalties, including:
- Disgorgement: Surrendering any profits obtained as a result of non-compliance.
- Injunctive relief: Compelling you to comply with the law under court order.
- Restitution: Compensating affected consumers for damages.
Having gained insights into Connecticut's data breach notification law, you're one step closer to achieving compliance. Now, it's time to take proactive measures by engaging a specialized compliance service.
Not sure where to start? We've got you covered!
At Captain Compliance, we're committed to ensuring you don't just understand the law but can seamlessly translate that knowledge into action.
For data breach notifications, we help you with the following:
- Risk assessments
- Data breach response plan development
- Monitoring and incident response management
- Cybersecurity policy and procedure development
With our expert guidance, compliance worries become a thing of the past. Ready to hit the ground running with Connecticut's law? Get in touch today!
What constitutes a data breach under Connecticut law?
A data breach in Connecticut means unauthorized access to or acquisition of electronic data containing unencrypted personal data. If such data becomes exposed, it qualifies as a breach and triggers data breach notification requirements.
When should you notify affected parties about a data breach?
Under Connecticut’s law, you must inform affected consumers and the Attorney General without undue delay and within 60 days of confirming the breach.
Despite this timeline, notifying all relevant parties much earlier is a best practice to effectively reduce harm to consumers.
Are there exceptions to the notification requirement?
Yes, some exceptions exist. For instance, encrypted data that remains secure or a comprehensive risk assessment indicating little risk might exempt you from notification. It’s a smart move to consult expert compliance services to understand these exceptions in detail.
What information should be included in a breach notification?
Your data breach notification should describe the breach, the type of data affected, and steps individuals can take to protect themselves. It should also include a dedicated point of contact for further inquiries or assistance.