Data Protection Report - Norton Rose Fulbright

On June 11, 2015, Connecticut Governor Dannel Malloy signed Senate Bill 949  (“S.B. 949”) into law.  This new law imposes a various new requirements relating to data breach response and notification, including imposing a hard 90-day deadline for data breach reporting and requiring that entities regulated by the Connecticut Insurance Department to implement and maintain a “comprehensive information security program” to protect personal information.  The various sections of  S.B. 949  take effect in stages, with some having taken effect on July 1, 2015, and others becoming effective as late as October 1, 2017.

The current version of Connecticut’s data security law, § 36a-701b, requires that any person conducting business in Connecticut provide notification of a breach of security “without unreasonably delay.”  Effective October 1, 2015, the section will retain the “without unreasonable delay” language but adds language requiring that the notification be sent “not later than ninety days after the discovery of such breach, unless a shorter time is required under federal law.”

Also effective on October 1, 2015, is language requiring that businesses provide “appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such service or services shall be provided at no cost to such resident for a period of not less than twelve months” for breaches , or suspected breaches, involving Social Security numbers.

Effective July 1, 2016, is a requirement of S.B. 949 that mandates retail sellers of new smartphones to install, or make available for download upon the initial activation, software or hardware that allows authorized users to “render inoperable the essential features of the smartphone to an unauthorized user.”

S.B. 949 will also require health insurers, health care centers, and other similar regulated entities to “implement and maintain a comprehensive information security program to safeguard the personal information of insureds and enrollees that is compiled or maintained by such company.”  The new law requires that the program be in writing and contain administrative, technical and physical safeguards appropriate in light of the size, scope and type of business of such company; the amount of resources available to such company; the amount of data compiled or maintained by such company, and the need for security and confidentiality of such data. These organizations will also be required to update the program “as often as necessary and practicable but at least annually.”  These programs must be in place by October 1, 2017.

The provisions in S.B. 949 that apply to state contractors took effect July 1, 2015.  Under these sections, state agencies are required to include in written agreements with private contractors terms necessitating that contractors implement and maintain a “comprehensive data-security program.” In addition, contractors are prohibited from storing data on stand-alone devices unless expressly permitted in their contracts with the state.  Contractors, rather than the State, bear any added expense related to implementing the data security program. Finally, the state contracts  must stipulate how costs associated with any data breach notifications will be allocated between the state agency and the contractor.

Enforcement of data security laws remain largely in the control of the Attorney General, who retains the power to institute civil actions for violations of the law.  In addition to the Attorney General’s previous authority, S.B. 949 now permits the Attorney General to bring civil suits against contractors in breach of the new comprehensive data-security program law.

Notably, while S.B. 949 was in still in the legislative process, Connecticut’s Attorney General, George Jepsen acknowledged that the law would only set “a floor for the duration of the protection” and his office may continue to “seek broader kinds of protection.” For example, in a June 2, 2015 statement, Jepsen stated that, in cases where the breach involves more sensitive personal information, he would continue this practice of seeking two years of identity theft prevention or mitigation services, even though the statute requires only one year.

As we have previously documented, many states, including Wyoming, Nevada, and Washington, have taken steps to extend the protection of their data privacy laws.  By increasing the scope of protection, along with imposing additional notification requirements when breaches arise, these states increase the likelihood of incurring, and expense associated with responding to, data security incidents in these states.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.