Effective October 1, 2021, Connecticut law concerning data breach notification will change. Conn. Gen. Stat. § 36a-701b, passed in 2012, established the notification requirements for business and protections for consumers when a “breach of security” occurs. Now, in an effort to further protect consumers, the Connecticut legislature expanded the reach of the data breach notification statute with PA 21-59.

PA 21-59:

1. Broadens the definition of “personal information” to include several additional identifying factors from taxpayer identification numbers to health and medical information, to electronic username and passwords giving access to online accounts, and more. PA 21-59 (a)(2)

2. Expands application of the data breach notification requirement in that any person who owns, licenses, or maintains computerized data (whether or not conducted in the ordinary course of such person’s business), must comply with the notification requirement. PA 21-59 (b)(1)

3. Shortens the notification timeframe within which to notify consumers and the attorney general of a data breach from ninety days (under the existing law) to sixty days. PA 21-59 (b)(1)

4. Maintains the requirement for data managers who have experienced a breach to provide 24 months of identity theft services to affected consumers. PA 21-59 (b)(2)(B)

5. Provides that any data managers who are in compliance with the privacy and security standards of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH (Health Information Technology for Economic and Clinical Health) will be deemed in compliance with the data breach reporting requirements,  PA 21-59 (h); and

6. Includes a private cause of action for affected consumers under Connecticut’s Unfair Trade Practices Act (“CUTPA”). PA 21-59 (j)

Businesses and their insurers should be aware that additional expenses may be required with the new expedited investigation and consumer notification requirements, and for defending private causes of action brought under CUTPA or an action by the government for noncompliance with the shortened 60-day notification requirement.

One way to mitigate increased claims however can be found in another recently passed legislation: the Connecticut Cybersecurity Standards For Businesses statute (PA 21-119) which Governor Lamont signed into law on July 6, 2021, and which is also effective October 1, 2021. This law provides businesses with a safe harbor against certain penalties if they have cyber security programs in place, thereby incentivizing them to maintain cybersecurity programs in order to avoid potentially costly remedies for data breaches and to proactively seek to prevent data breaches from occurring. 

To mitigate risks of punitive damages claims, the affirmative defense is available when the action is brought under Connecticut law or in Connecticut state courts and when the defendant business can demonstrate that it conformed to one of the outlined “industry recognized” cybersecurity frameworks listed in the statute.

The named frameworks are:

• Framework for Improving Critical Infrastructure Cybersecurity” of the National Institute for Standards and Technology (NIST).

• NIST special publications 800-171 or 800-53 and 800-53a.

• Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework.

• Center for Internet Security (CIS) Controls

• ISO 27000-series.

• Payment Card Industry Data Security Standards (PCI-DSS) plus the current version of one of the above.