September 28, 2021

Volume XI, Number 271

Advertisement

September 27, 2021

Subscribe to Latest Legal News and Analysis

Connecticut Expands Data Breach Notification Law, Changes Effective October 1, 2021

In addition to recently passing a cybersecurity safe harbor law, Connecticut also updated its data breach notification law. Connecticut joins Texas in passing changes to breach notification requirements this year. There are three key changes included in this amendment.

  • Expansion of the definition of “personal information”. Falling in line with many other states, the law now broadens “personal information” to also include (i) taxpayer identification number; (ii) IRS identity protection personal identification number, (iii) passport number, military ID or other government ID; (iv) certain medical information; (v) health insurance policy information; (vii) biometric information; and (viii) a user name or email address in combination with a password or security question and answer (regardless of whether or not the individual’s name is accessed in combination with it), in addition to the other existing elements.

  • Shortened Notification Requirements. The time businesses have to notify affected Connecticut residents and the Office of the Attorney General of a data breach has been shortened from 90 days to no later than 60 days after discovery of the breach. Further, if notice cannot be made within the new 60-day window, companies are to provide preliminary substitute notice to individuals and follow up with direct notice as soon as possible.

  • HIPAA/HITECH Exemption, Except for AG Notice. If notice is provided to Connecticut residents in compliance with HIPAA and HITECH, then the notice is deemed compliant with Connecticut requirements. However, notice must still be provided to the Connecticut Attorney General (no later than when notice is provided to residents).

Putting it Into Practice: Beginning October 1, companies who suffer a breach impacting Connecticut residents will want to keep in mind these changes. Namely, the expanded definition of personal information and shortened notification timelines.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 207
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Advertisement
Advertisement
Advertisement