October 14, 2021

Connecticut Amends Data Breach Notification Requirements and Enacts Cybersecurity "Safe Harbor"

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

On June 16 and July 6, 2021, Connecticut Gov. Ned Lamont signed into law two new cybersecurity bills that keep Connecticut in line with the national trend of expanding cyber incident disclosure obligations, shortening notification timelines, and incentivizing the implementation of recognized cybersecurity standards. Both laws take effect on October 1, 2021. 

The first law, "An Act Concerning Data Privacy Breaches," amends Connecticut's existing data breach law in a number of important ways, among them:

  • The law significantly expands the definition of "personal information" that may trigger notification obligations to include: (i) a taxpayer identification number; (ii) identity protection personal identification number issued by IRS; (iii) passport number; (iv) certain medical information, biometric information, a user name or email address in combination with a password or security question and answer (regardless of whether or not the individual's name is accessed in combination with it), and a number of other data elements commonly included in other states' data breach notice laws. 
  • The law significantly shortens the time businesses have to notify affected Connecticut residents and the Office of the Attorney General of a data breach from 90 days to no later than 60 days after discovery of the breach and if notice cannot be effected within the new 60-day window, a novel and significant amendment requires companies to provide preliminary substitute notice to individuals, and follow up with direct notice as soon as possible.
  • In the event of a login credential breach, the law requires that notice to affected residents be provided in electronic or other form that directs the resident whose personal information was breached or is reasonably believed to have been breached to promptly change any password or security question and answer, as applicable, or to take other appropriate steps to protect the affected online account and all other online accounts for which the resident uses the same user name or electronic mail address and password or security question and answer. As with similar statutes, if the user's email address is breached, notice may not be given pursuant to email.
  • Any person subject to and in compliance with HIPAA and/or the HITECH Act privacy and security obligations is deemed in compliance of the new law with a couple of critical exceptions. First, as under New York's SHIELD Act, a person subject to HIPAA or HITECH that is required to notify Connecticut residents of a data breach under HITECH still must notify Connecticut's Attorney General at the same time residents are notified. Second, if the person would have been required to provide identity theft prevention and/or mitigation services under Connecticut law, which is for a period of 24 months, that requirement remains.
  • Lastly, the law provides that all documents, materials and information provided in response to an investigative demand shall be exempt from public disclosure, provided the Attorney General may make such documents, materials or information available to third parties in furtherance of such investigation.

The second law, "An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses," establishes a Cybersecurity ‘Safe Harbor' statute.

The new law will establish an affirmative defense against tort claims alleging that a business's failure to implement reasonable cybersecurity controls caused a data breach. Businesses that have created, maintained, and complied with a written cybersecurity program can take advantage of this "safe harbor" if their written cybersecurity program complies with one or more of the industry-recognized frameworks (such as NIST SP 800-171, NIST SP 800-53, and the ISO/IEC 27000-series) or applicable federal laws (such as the cybersecurity requirements of the Health Insurance Portability and Accountability Act). 

Connecticut is the third state, after Ohio and Utah, to enact a cybersecurity safe harbor statute.

The new laws take effect on October 1, 2021. Companies impacted by these new laws should consider the potential impact on their current policies and procedures. If you have any questions, please contact Michael P. O'Mullan at [email protected], Labinot Alexander Berlajolli at [email protected], Robert N. Holup at [email protected], or any other attorney in Riker Danzig's Cyber Security & Data Privacy practice. 

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Riker Danzig LLP

SEC May Require Advisers and Funds to Draft Cybersecurity Policies and Disclose Incidents

By Michael P. O'Mullan Riker Danzig LLP February 11 , 2022

Following the rise of cybercrime and on the coattails of the Federal Trade Commission (FTC), the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (FRB) and the Federal Deposit Insurance Corporation (FDIC) promulgating final rules concerning cybersecurity requirements for the financial services sector, we knew that the U.S. Securities and Exchange Commission (SEC) was not far behind.

New York Insurance Disclosure Act May Cause Significant Changes In New York State Court Lawsuits

By Brian E. O’Donnell Riker Danzig LLP February 10 , 2022

On December 31, 2021, New York Governor Kathy Hochul signed into law the Comprehensive Insurance Disclosure Act (the “Act”)

FINRA to Prioritize Cryptocurrency, Options Account Paperwork, and Expungement Reform in 2022

By Michael P. O'Mullan Riker Danzig LLP January 24 , 2022

During a January 19, 2021, webinar with the SIFMA Compliance & Legal Society, FINRA president and CEO Robert Cook discussed with participants FINRA’s priorities for 2022.

More From Cybersecurity

California AG Announces Investigation of Mobile Apps' CCPA Compliance

By Gretchen A. Ramos Greenberg Traurig January 31 , 2023

On Jan. 27, 2023, the California Attorney General announced his office is investigating and sending letters to businesses in the retail, travel, and food industries with popular mobile apps that allegedly are not in compliance with the California Consumer Privacy Act (CCPA) by failing to offer a consumer opt-out mechanism for sales, or honor rights requests submitted via authorized agents.

5 Trends to Watch: 2023 Data Privacy & Cybersecurity

By Gretchen A. Ramos Greenberg Traurig January 26 , 2023

While ransomware attacks have been on the rise since 2020, a recent trend has emerged where threat actors are bypassing ransomware malware and encryption tactics and going straight to data theft.

Small Business Lenders: CFPB's Anticipated Section 1071 Rule Would Impose New Data Collection, Reporting Obligations

By Timothy A. Butler Greenberg Traurig January 25 , 2023

After years of rulemaking efforts, the Consumer Financial Protection Bureau (CFPB) may issue a final rule later this month that would require lenders to collect and report data on small business loan applications, including applications from minority-owned and women-owned small businesses. According to the CFPB, when it is implemented, the rule will create the first comprehensive database of small business credit applications in the United States.

Featured Stories