December 8, 2022

Volume XII, Number 342


December 07, 2022

Subscribe to Latest Legal News and Analysis

December 06, 2022

Subscribe to Latest Legal News and Analysis

December 05, 2022

Subscribe to Latest Legal News and Analysis

Changes In Recent Connecticut Cybersecurity and Data Privacy Breach Legislation

Effective October 1, 2021, Connecticut law concerning data breach notification will change. Conn. Gen. Stat. § 36a-701b, passed in 2012, established the notification requirements for business and protections for consumers when a “breach of security” occurs. Now, in an effort to further protect consumers, the Connecticut legislature expanded the reach of the data breach notification statute with PA 21-59.

PA 21-59:

  1. Broadens the definition of “personal information” to include several additional identifying factors from taxpayer identification numbers to health and medical information, to electronic username and passwords giving access to online accounts, and more. PA 21-59 (a)(2)

  2. Expands application of the data breach notification requirement in that any person who owns, licenses, or maintains computerized data (whether or not conducted in the ordinary course of such person’s business), must comply with the notification requirement. PA 21-59 (b)(1)

  3. Shortens the notification timeframe within which to notify consumers and the attorney general of a data breach from ninety days (under the existing law) to sixty days. PA 21-59 (b)(1)

  4. Maintains the requirement for data managers who have experienced a breach to provide 24 months of identity theft services to affected consumers. PA 21-59 (b)(2)(B)

  5. Provides that any data managers who are in compliance with the privacy and security standards of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH (Health Information Technology for Economic and Clinical Health) will be deemed in compliance with the data breach reporting requirements,  PA 21-59 (h); and

  6. Includes a private cause of action for affected consumers under Connecticut’s Unfair Trade Practices Act (“CUTPA”). PA 21-59 (j)

Businesses and their insurers should be aware that additional expenses may be required with the new expedited investigation and consumer notification requirements, and for defending private causes of action brought under CUTPA or an action by the government for noncompliance with the shortened 60-day notification requirement.

One way to mitigate increased claims however can be found in another recently passed legislation: the Connecticut Cybersecurity Standards For Businesses statute (PA 21-119) which Governor Lamont signed into law on July 6, 2021, and which is also effective October 1, 2021. This law provides businesses with a safe harbor against certain penalties if they have cyber security programs in place, thereby incentivizing them to maintain cybersecurity programs in order to avoid potentially costly remedies for data breaches and to proactively seek to prevent data breaches from occurring. 

To mitigate risks of punitive damages claims, the affirmative defense is available when the action is brought under Connecticut law or in Connecticut state courts and when the defendant business can demonstrate that it conformed to one of the outlined “industry recognized” cybersecurity frameworks listed in the statute.

The named frameworks are:

© 1998-2022 Wiggin and Dana LLPNational Law Review, Volume XI, Number 271

About this Author

Michael Menapace Insurance lawyer Wiggin Dana

Michael is an insurance lawyer, primarily a litigator defending insurance companies, reinsurers, and insured parties from a wide range of claims that threaten clients’ businesses. He is also a counselor, law school professor, and litigator in areas beyond insurance.

Michael represents insurers in state and federal courts as well as in arbitrations across the country, litigating insurance disputes concerning business practices, bad faith, insurance coverage, reinsurance, premium calculations, and allocation among policies. As a general litigator, he has tried cases concerning utility...

+1 860 297 3733

Leah is an Associate in the Litigation Department.

Leah earned her J.D. magna cum laude from Quinnipiac University School of Law. While in law school, Leah contributed to the creation of the International Law and Policy Concentration and served as a Fellow for the Center on Dispute Resolution. Leah earned her B.A. magna cum laude in Middle Eastern Language and Culture from Connecticut College.

Prior to joining Wiggin and Dana, Leah was a consultant at The Abraham Path Initiative where she researched and developed the Path’s hiking trail infrastructure...