September 25, 2021

Volume XI, Number 268

Advertisement

September 24, 2021

Subscribe to Latest Legal News and Analysis

September 23, 2021

Subscribe to Latest Legal News and Analysis

New Connecticut Breach Notification Requirements and Cybersecurity Safe Harbor Effective October 2021

Connecticut recently passed two cybersecurity laws that will become effective on October 1, 2021. The newly passed laws modify Connecticut’s existing breach notification requirements and establish a safe harbor for businesses that create and maintain a written cybersecurity program that complies with applicable state or federal law or industry-recognized security frameworks.

New Breach Notification Requirements (HB 5310)

On June 16, 2021, Connecticut Governor Ned Lamont signed HB 5310, An Act Concerning Data Privacy Breaches. HB 5310 amends Connecticut’s existing breach notification requirements by:

  • expanding the types of personal information that may trigger notification requirements if breached, to include: (i) taxpayer ID number; (ii) identity protection personal ID number issued by the IRS; (iii) passport number, military ID number or other government-issued ID number; (iv) biometric data; (v) certain types of medical information; (vi) health insurance ID numbers; and (vii) a user name or email address in combination with a password or security question and answer;

  • shortening the notification timeline of a breach to affected Connecticut residents and the Attorney General from 90 days to no later than 60 days post-discovery of the breach; and

  • requiring “preliminary substitute notice” to individuals if a business cannot provide direct notification within the 60-day notification timeframe. Businesses must also follow up with direct notice as soon as possible following such preliminary substitute notice.

In passing the law, Connecticut joins a number of other states in expanding the definition of “personal information” in its data breach notification statute.

Cybersecurity Safe Harbor (HB 6607)

On July 6, 2021, Governor Ned Lamont signed HB 6607, An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses.

HB 6607 prevents the Connecticut Superior Court from assessing punitive damages against an organization that created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information, and that conforms to an industry-recognized cybersecurity framework (e.g., the Payment Card Industry Data Security Standard, the National Institute of Standards and Technology’s Cybersecurity Framework, the ISO/IEC 27000-series information security standards).

The safe harbor also applies in cases where the cybersecurity program conforms to applicable state or federal security laws and regulations (e.g., the security requirements of the Health Insurance Portability and Accountability Act and the Gramm-Leach Bliley Act).

In passing the law, Connecticut joins Ohio and Utah as the third state to enact a cybersecurity safe harbor statute.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XI, Number 214
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement