Connecticut Updates its Data Security Laws, Imposing Stringent New Requirements
On June 30, 2015, the Governor of Connecticut signed into law S.B. 949, “An Act Improving Data Security and Agency Effectiveness.” The new law updates Connecticut’s data security laws, including by adding a 90-day hard deadline for data breach reporting, requiring companies in some cases to offer data breach victims a year of free identify theft prevention services, imposing new and specific data security program requirements on health insurance companies and other entities subject to Insurance Department regulation, and requiring state agencies to impose certain detailed security requirements on state contractors that maintain personal information. With a near constant stream of data breaches affecting entities from health insurers to retail giants to the government, the law responds to growing fears of data security.
Under the new law, beginning October 1, 2015, a data breach will require any person or entity conducting business in Connecticut to give notice “without unreasonable delay,” but now no later than 90 days after discovery of the breach, to state residents whose personal information was breached or reasonably believed to have been breached. The Connecticut Attorney General stated in a press release that 90 days is an “outside limit” that does not diminish his discretion to take action against entities who “unduly delay” notification. Importantly, the law also requires the provision of at least twelve months of free identity theft prevention and mitigation services, but only in cases where Social Security numbers are breached or reasonably believed to have been breached.
In addition, no later than October 1, 2017, health insurers, pharmacy benefit managers and certain other entities regulated by the Connecticut Insurance Department must implement and maintain a “comprehensive information security program” to protect personal information. While the requirements generally track HIPAA obligations that will likely already apply to these entities, the new requirements go further, for example by requiring encryption of all personal information transmitted on a public Internet network or wirelessly, encryption of all personal information stored on a portable device, specified secure authentication and access protocols, and imposition of disciplinary measures for employees who violate the security policies or procedures. Under the security program, the entities must also prevent terminated, inactive, or retired employees from accessing personal information.
New requirements with respect to state contractors will also take effect. Beginning in July 2015, state agencies must require in every written agreement that private contractors implement and maintain a “comprehensive data-security program.” Among other requirements, contractors will be prohibited from storing data on stand-alone devices (such as flash drives or laptop notebooks) unless expressly permitted to do so in the state contract, and contractors, not the State, must bear any added expense associated with implementing the data security program. In addition, the written agreement must stipulate how costs of data breach notification will be allocated between the state agency and the contractor.
With respect to enforcement, the Attorney General continues to have authority over data breach notification. The Act also newly empowers the Attorney General to bring civil suit against a contractor in breach of the new comprehensive data-security program law, while the Secretary of Office Policy and Management may require contractors to take additional security protections where the type and amount of information warrants such protection. With respect to health insurance entities, the Insurance Commissioner will enforce the new data security requirements.
Companies doing business in Connecticut or contracting with the State of Connecticut should carefully review the added data security and breach notification measures and consider whether revisions of current policies are necessary to comply with the state’s stringent new requirements.
Special thanks to summer associate Krista L. White for her contributions to this post.
 S.B. 949 (Ct. 2015).
 “Statement from AG Jepsen on Final Passage of Data Breach Notification and Consumer Protection Legislation,” Connecticut Office of the Attorney General, http://ct.gov/ag/cwp/view.asp?A=2341&Q=566508 (last visited July 13, 2015).