Connecticut State Law: Notification Of A Data Breach

Connecticut state law now requires any entity that does business in the state to provide notice of breach of security that involves computerized data to the Office of the Attorney General and the affected state residents.

Connecticut State Law: Notification Of A Data Breach

Connecticut state law now requires any entity that does business in the state to provide notice of breach of security that involves computerized data to the Office of the Attorney General and the affected state residents. Connecticut General Statute 36a-701b  and New Jersey 56:8-163 have been updated to require notification of any breach, regardless of if data is exposed or stolen. However, Texas only requires notification if the data of state residents is compromised, and Louisiana’s notification requirements are still in the air.

New Jersey and Connecticut states define a security breach as unauthorized access to or acquisition of electronic data containing personal information. That includes all ransomware and phishing attacks, successful or not. Again, these statutes don’t explicitly name MSPs, but as businesses providing IT services and solutions, your clients and your MSP are responsible for ensuring data security.

Provisions of the Connecticut General Statutes § 36a-701b

Anyone conducting business in Connecticut and owns, maintains, or licenses computerized data that contains personal information is required to disclose any security breach to state residents whose personal information may have been compromised. The business owner must make the notice without unreasonable delay and no later than 90 days from the discovery of the breach.

In addition, business owners must notify the Office of the Attorney General alongside the affected residents. Failure to issue such notice could be considered a violation of the Connecticut Unfair Trade Practices Act (CUTPA).

How to Send the Notice to the Office of the Attorney General

To help business owners in complying with the provisions of the Connecticut General Statutes § 36a-701b, the Office of the Attorney General established an email address for reporting, which is ag.breach@ct.gov. To further simplify the process and eliminate the need for the Office of the Attorney General to ask for additional information, businesses are advised to include the following in breach notifications:

  • Name and contacts of the person reporting the breach.
  • Name, type, and address of the business that experienced the breach.
  • The general description of the breach, including the date, when and how it was discovered, and remedial steps taken to respond to the breach.
  • The number of Connecticut residents impacted by the breach.
  • A comprehensive list of personal information categories subject of the breach
  • The date(s) when the notification was/will be conveyed to the impacted Connecticut residents.
  • A copy of the notification conveyed to the affected Connecticut residents.
  • Whether or not identity theft protection or credit monitoring services have been or will be provided to the affected Connecticut residents.
  • In case of delayed notification, you should describe whether it was due to a law enforcement investigation.

Types of Personal Information in Connecticut General Statutes § 36a-701b

Pursuant to the Connecticut General Statutes § 36a-701b, a security breach refers to unauthorized access to or acquisition of electronic files, databases, media, or computerized data containing personal information. It applies if the access to the personal information was not secured by encryption or through other methods or technologies that render the personal information unusable or unreadable.

On the other hand, personal information refers to an individual’s first name or first initial plus last name together with one or more of the following information:

  • Social Security number
  • Account number
  • State ID number or driver’s license number
  • Debit or credit or card number with any required security code, password, or access code that would allow access to the financial records of that individual.

However, personal information doesn’t include publicly available data that is lawfully availed to the general public from local, state, or federal records and widely distributed media.

When Notifications May Be Delayed

Any notification required by the Connecticut General Statutes § 36a-701b shall be delayed for a reasonable time period if a law enforcement agency recommends that the notification may impede a criminal investigation. Such law enforcement agencies must request that the notification should be delayed.

Any notice to the affected resident, licensee, or owner may be provided by one of the following means:

  • Written notice
  • Electronic notice
  • Telephone notice

However, substitute notice may consist of:

  • Electronic mail notice when the business has an electronic mail address for the affected residents
  • Conspicuous posting on the business website if they maintain one
  • Notification to key statewide media, such as newspapers, television, or radio.

How to Avoid Security Breaches for your Connecticut Business

It’s always wise to avoid security breaches in the first place instead of having to grapple with regulatory compliance issues and reputational damage. So always ensure proper physical security for all your electronic and physical sensitive information wherever it lives. Here are a few strategies you can employ to minimize the chances of security breaches:

  • Always lock down computers and workstations as a deterrent.
  • Secure your office, files, and portable computing devices before leaving them unattended.
  • Never leave papers, laptops, or other electronic gadgets visible in an unattended car or home.
  • Always shred sensitive paper records before you dispose of them.
  • Never leave sensitive information sitting around unprotected, such as on your office printers, copiers, fax machines, or in storage.

Also, employ extra security measures for mobile devices (including laptops and tablets) and portable electronic media with sensitive or critical information. For example, securely delete any personal identity information (PII) plus other sensitive data when you no longer need them for business purposes. Additionally, minimize the amount of sensitive data you store on your devices to reduce risks in the case of theft.

In the unfortunate event that you suspect that computing equipment with sensitive data has been stolen, be sure to investigate it immediately and follow the right reporting protocols as stipulated under the Connecticut General Statutes § 36a-701b.

Get Reliable IT Services in Connecticut

Realized Solutions is your trusted IT Services and Software Development Company in Connecticut. Instead of outsourcing bits and pieces of technology services to different companies, let us take care of it all. We understand that there are multiple challenges your business could face, but technology shouldn’t be one of them. Our experienced IT engineers have mastered the dynamics of cybersecurity and other technology solutions and will provide you with tailor-made technologies that suit your business. Contact us today to schedule a consultation!