The most recent Connecticut legislative session, which ended June 9, 2021, may have stopped short of passing California-like, comprehensive consumer data privacy legislation, but it – like other states – continued its yearly march toward ever-increasing privacy and data security protections in two pieces of legislation, including one that is yet to be signed by Governor Lamont. Find legislative highlights and recommendations below.
Public Act No. 21-59, An Act Concerning Data Privacy Breaches
Public Act No. 21-59 amends Connecticut’s data breach notification law (General Statutes § 36a-701b). The Act expands the categories of personal data that must be protected from unauthorized access or disclosure. As of October 1, 2021, it will no longer suffice to protect only Social Security and driver’s license numbers, or credit card and financial account information. The new types of “Personal Information” that trigger breach notification obligations include:
• Medical information
• Biometric information used for ID (e.g., fingerprints, voice prints, retinal images, etc.)
• Online account login credentials (i.e., user name/e-mail address plus password or security question and answer)
• Passport numbers, military ID, and other government ID numbers
• Health insurance policy and subscriber identification numbers
• Individual taxpayer identification numbers
• IRS-issued identity protection personal identification numbers
The Act contains a number of other important amendments. A few of the more noteworthy ones include:
• Shorter Notification Deadline. The Act shortens from 90 to 60 the number of days that organizations have to investigate and report on a data breach after discovery, but leaves intact the requirement that breach notification should be performed without “unreasonable delay” – meaning that there may be instances where even 60 days constitutes an unreasonable notification period.
• Expanded Provision of ID Theft Protection Services. The Act adds breaches of individual taxpayer identification numbers to those involving Social Security numbers, as the type of breach that requires an organization to provide 24 months of complimentary identity theft prevention and mitigation services to all affected Connecticut residents.
• Special Treatment of Breaches of Online Account Login Credentials. The Act provides special notification requirements where the breach concerns online account and e-mail login credentials. Organizations must take care to recommend certain remediation actions and must not provide notification through potentially compromised e-mail accounts.
• Coordination with HIPAA and HITECH Act Breach Notification. Organizations that are already following federal breach notification obligations under HIPAA and the HITECH Act will be deemed to be compliant with the amended Connecticut breach notification law, provided that they still give simultaneous notification to the Connecticut Attorney General’s Office and comply with other, nonconflicting Connecticut breach notification requirements.
• Protection of Investigation Materials from Public Disclosure. In a bright spot for organizations, the Act provides that internal documentation of an organization’s data breach investigation that is required to be turned over to the Attorney General’s Office pursuant to an investigative demand is exempted from public disclosure under the state Freedom of Information Act.
Failure to comply with the statute constitutes an unfair trade practice, which among other undesirable consequences exposes entities to huge potential liability, including the imposition of punitive damages.
House Bill No. 6607, An Act Incentivizing the Adoption of Cybersecurity Standards for Business
If Public Act No. 21-59 is a “stick”, spurring Connecticut businesses to increase data privacy and cybersecurity safeguards, then House Bill No. 6607 may be a “carrot”. This second piece of legislation, if enacted (as of this writing the bill has been passed by the legislature but has not yet been signed by the Governor), incentivizes entities who store Personal Information to take proactive steps to implement a qualified “written cybersecurity program”. The reward for implementing such a program is legal immunity against punitive damages stemming from a negligent data breach.
Not just any written cybersecurity standards will do, however. The Bill would require an eligible written program to incorporate administrative, technical, and physical safeguards that conform to “an industry recognized cybersecurity framework.” The Bill specifies certain known cybersecurity frameworks and regulatory schemes, compliance with which will satisfy this requirement, including:
• Certain frameworks published by the National Institute of Standards and Technology, the Center for Internet Security, the International Organization for Standardization, and the International Electrotechnical Commission; and
• Where applicable, the security requirements of HIPAA and the HITECH Act, Title V of the Gramm-Leach-Bliley Act of 1999, the Federal Information Security Modernization Act, and the Payment Card Industry Data Security Standard.
The Bill would also require organizations to implement amendments to these frameworks within six months of their passing in order to maintain the immunity against punitive damages.
What actions should organizations take?
We recommend that organizations consider the following actions:
• Take stock of data practices and privacy and information security policies. Do you know where and how you are handling each of the new categories of “Personal Information”? Do your public-facing notices signal to costumers that you recognize your expanding obligations regarding their data? Do you have written policies that empower employees to classify and protect personal data and that enable IT to maintain industry-standard technical and physical safeguards?
• Update the incident response plan. Does the plan account for the shortened breach notification deadline? Does it address coordination of compliance obligations where the HIPAA Breach Notification Rule may apply?
• Review third party contracts. Do your service provider contracts need to be updated to address definitions pertaining to personal data and the parties’ responsibilities regarding incident response and breach notification?
• Review insurance coverage. Do you have cybersecurity insurance? Does it need to be updated to cover incident response costs resulting from a data breach involving the new categories of “Personal Information”.
This information is for educational purposes only to provide general information and a general understanding of the law. It does not constitute legal advice and does not establish any attorney-client relationship.