SCHEDULE A CALL
  • C-Suite Insights, Strategic Consulting

Connecticut State Law: Notification Of A Data Breach

What Connecticut Businesses Need to Know

Understanding Connecticut’s Data Breach Notification Law

Connecticut now requires any business that operates in the state to notify both the Office of the Attorney General and affected residents if a security breach involves computerized data. This rule applies under Connecticut General Statute 36a‑701b, as well as New Jersey Statute 56:8‑163. Both states require breach notifications even when data is accessed but not stolen. Texas only requires notice when resident data is actually compromised, and Louisiana’s rules remain unclear.

New Jersey and Connecticut define a breach as any unauthorized access to or acquisition of electronic data that includes personal information. This definition covers ransomware and phishing attacks, whether they succeed or fail. While the laws do not name MSPs directly, any business handling IT systems is responsible for maintaining data security.

Key Requirements of Connecticut General Statutes 36a‑701b

Businesses that own, maintain, or license data containing personal information must tell affected Connecticut residents if a breach may have exposed their information. This notice must be sent without unreasonable delay and no later than 90 days after discovery of the breach.

Companies must also notify the Connecticut Office of the Attorney General. Not doing so may violate the Connecticut Unfair Trade Practices Act.

How to Notify the Connecticut Office of the Attorney General

The Attorney General provides a dedicated reporting email: [email protected]. To simplify the process, businesses should include:

  • Contact information for the person reporting the breach
  • Name, address, and type of business affected
  • Description of the breach, including date, discovery method, and response
  • Number of Connecticut residents impacted
  • List of data types involved
  • Date notice was or will be sent to residents
  • Copy of the resident notification
  • Whether identity theft protection or credit monitoring will be offered
  • Explanation of any delay caused by law enforcement

Providing this information helps avoid follow‑up requests and speeds up compliance review.

What Counts as Personal Information in Connecticut

A security breach involves unauthorized access to electronic files or databases that contain personal information. This applies when the information is not encrypted or protected in a way that makes it unreadable.

Personal information includes a resident’s first name or initial plus last name combined with:

  • Social Security number
  • Account number
  • State ID or driver’s license number
  • Debit or credit card number with any required codes that give access to financial records

Publicly available information from government records is not included in this definition.

When Notifications Can Be Delayed

Law enforcement may ask a business to delay notifying residents if it would interfere with an active investigation. Once the agency gives approval, the business must proceed with issuing the required notices.

Acceptable notification methods include:

  • Written notice
  • Electronic notice
  • Telephone notice

If these methods are not possible, substitute notice may include:

  • Email notice
  • A clear posting on the company website
  • Notice through statewide media outlets

How to Reduce the Risk of a Security Breach

Preventing a breach is always better than dealing with one. Here are simple steps businesses can take to protect sensitive data:

Physical and Device Security

  • Lock workstations when unattended
  • Secure offices, storage areas, and mobile devices
  • Do not leave papers or electronics in cars or unsecured spaces
  • Shred sensitive documents before disposal
  • Keep sensitive items away from printers, fax machines, and publicly accessible areas

Data and Device Management

  • Add extra protection for laptops, tablets, and portable media
  • Delete personal information and sensitive data when no longer needed
  • Minimize how much sensitive data is stored on devices
  • Quickly investigate any lost or stolen equipment that may contain personal data

If you suspect a device with sensitive information has been stolen, follow the required reporting process under Connecticut General Statutes 36a‑701b.

Trusted IT Services for Connecticut Businesses

Realized Solutions provides IT services and software development for businesses across Connecticut. We manage your technology end‑to‑end so you can focus on your business. Our team understands cybersecurity risks and compliance requirements, and we deliver technology solutions designed specifically for your needs.

Contact us today to schedule a consultation and protect your business with secure, reliable IT support.

Table of Contents

SCHEDULE A STRATEGY CALL

Realize New Possibilities with Transformative Technology

Read Related Insights