Effective October 1, 2021, an amendment[1] to the Connecticut General Statute concerning data privacy breaches, Section 36a-701b, will impact notification obligations in several significant ways. The amendment:
- Expands the definition of “personal information”;
- Shortens the notification deadline after discovery of a breach from 90 to 60 days;
- Removes the requirement to consult with law enforcement as part of a risk assessment;
- Deems compliant any person subject to and in compliance with HIPAA and HITECH; and
- Provides certain exemptions from public disclosure for materials provided to the state in response to an investigation of a breach of security.
Expanded Definition of “Personal Information”
Under the prior law, Connecticut defined “personal information” in a manner similar to many other states: an individual’s first name or first initial and last name in combination with any one, or more, of the following:
- Social Security number;
- Driver’s license number or state identification number; or
- credit or debit card number, or any financial account number in combination with any required security code, access code or password that would permit access to such financial account.
The amendment adds the following elements to the definition of “personal information,” all of which have been part of recent definitional expansions seen in other states:
- taxpayer identification number;
- identity protection personal identification number issued by the IRS;
- passport number, military identification number or other identification number issued by the government that is commonly used to verify identity;
- medical information, medical history, mental or physical health condition, medical treatment or diagnosis by a health care professional;
- health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual; or
- biometric information consisting of data generated by electronic measurements of an individual’s unique physical characteristics used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image.
Similar to many other states, the amendment also expands Connecticut’s definition of “personal information” to include a “user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account” even if that information is not combined with an individual’s name.
If an individual’s login credentials are involved in a breach, the amendment provides that notice may be provided in an electronic form so long as the person providing notification can reasonably verify the notified individual’s receipt of the notice. Such notice must direct the individual to “promptly” change their password or security question and answer, or take other appropriate steps to protect the affected online account and all other online accounts for which the individual uses the same user name or electronic mail address and password or security question and answer.
60-Day Notification Window
Among states with an explicit notification period, Connecticut’s prior law provided for one of the more lengthy required notification periods. Notice was required without unreasonable delay but no later than 90 days from discovery of the breach. The amendment shortens that period to 60 days, which is more aligned with most other states and not as short as some, such as Colorado [2] or Florida[3] both of which require notice within 30 days of discovery.
Additionally, the revised Connecticut law removes from the notification timeframe the prior elements of incident investigation, identification of affected individuals, and restoration of the impacted systems. In the event that individuals are identified after 60-days, they must be notified as “expediently as possible.”
Risk of Harm Analysis No Longer Requires Law Enforcement Consultation
Connecticut’s prior law did not require notification if the data manager, in consultation with relevant federal, state and local law enforcement agencies, determined the breach would not likely result in harm to individuals. The amended law drops the requirement to consult with law enforcement, allowing for a data manager to make this decision on their own – a position in line with the majority of states with risk of harm analyses and beneficial to data managers where, as is normally the case, a risk analysis can be made without the involvement of law enforcement.
Required Identity Theft Prevention Services
Under Connecticut’s prior law, individuals whose Social Security number was breached or believed to have been breached were required to receive an offer of identity theft prevention or mitigation services for free which last at least 24 months. The amended law expands this requirement to breaches involving Social Security numbers and taxpayer identification numbers.
HIPAA and HITECH Deemed Compliance
Connecticut’s amended statute follows the course of many other states in deeming as compliant with the statute any person who is subject to and in compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). However, unlike most other states with such exemptions, Connecticut still requires persons subject to HIPAA and HITECH who make notification to individuals under HITECH to also notify the Connecticut Attorney General and provide the individuals with appropriate identify theft prevention services if applicable.
Public Disclosure Exemption
The newly amended statute also provides a limited exemption from public disclosure of any documents, materials and information that a person provides in response to a demand during the course of an investigation of the data breach by the Connecticut government.
Additional Considerations for Businesses
The amendments described above will increase the investigative and notification burden of businesses who hold Connecticut resident’s personal information after a data breach. Furthermore, businesses should consider whether proactive action should be taken to strengthen the protection of the data in their possession which is now considered personal information and whether internal data collection, handling, retention and destruction policies should be reexamined in light of these statutory changes.
In a unique move, Connecticut now has conditioned the use of email notifications to individuals on an ability to reasonably verify that the email was received. Businesses considering utilizing the new electronic notification option should discuss with competent counsel the mechanisms by which they could reasonably perform this verification. Measures to consider include documenting previously-confirmed email addresses such as for employees, tracking bounce-back notices, and utilizing email tracking procedures to alert when an email is received or opened.
Finally, it should be noted that this amendment does not contain a unique provision that was part of the original proposal: a requirement that persons who are unable to notify individuals within 60 days after discovery of the breach provide a “preliminary substitute notice” – consisting of an email notice to impacted individuals whose email address is known, a conspicuous website notice, and notification to statewide media – followed by direct notice once the individuals were identified.
[1] https://www.cga.ct.gov/2021/ACT/PA/PDF/2021PA-00059-R00HB-05310-PA.PDF
[2] C.R.S. § 6-1-716
[3] Fla. Stat. § 501.171
