Click here to review text of state statute (see Conn. Gen. Stat. §36a-701b).
(For specific rules applicable to state agencies and contractors providing goods and services to a state agency – click here.)
[For specific rules applicable to the insurance industry click here [See §230].
Information Covered / Important Definitions
Personal information of Connecticut residents.
Definition also includes: (i) taxpayer identification number; (ii) identity protection personal identification number issued by the Internal Revenue Service; (iii) passport number, military identification number or other identification number issued by the government that is commonly used to verify identity; (iv) medical information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (v) health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual; and (vi) biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina or iris image.
Definition also captures: user name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account; and precise geolocation data, when in combination with a person’s (1) first name or first initial and (2) last name (as of October 1, 2023).
“Security Breach” means unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person who owns, licenses or maintains computerized data that includes personal information.
[Connecticut has specific statutes which could apply to those engaged in the insurance business.]
Third party recipients:
If a covered entity maintains computerized data that includes personal information that the entity does not own, the entity must notify the owner or licensee of the information of any security breach immediately following discovery if the personal information was, or is reasonably believed to have been breached.
Notice Procedures & Timing / Other Obligations
Written, electronic or telephonic notice must be provided to any resident of Connecticut whose personal information was breached or is reasonably believed to have been breached without unreasonable delay but not later than sixty (60) days after the discovery of such breach unless a shorter time is required under federal law or a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).
- In the event of a breach of login credentials, notice may be provided in electronic form that directs the resident to promptly change any password or security question and answer, as applicable, or to take other appropriate steps to protect the affected online account and all other online accounts for which the resident uses the same user name or electronic mail address and password or security question and answer. Notice should not be made to the impacted electronic mail account if the covered entity cannot reasonably verify the affected resident's receipt of such notification. In such an event, the covered entity shall provide notice by another method described in the statute or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet protocol address or online location from which the person knows the resident customarily accesses the account.
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
- Notice not required if the entity responsible for the data determines in consultation with federal, state and local law enforcement that there is no reasonable likelihood of harm to individuals whose information has been acquired or accessed.
- If a covered entity identifies additional impacted residents whose personal information was breached or reasonably believed to have been breached following sixty days after the discovery of such breach, the covered entity shall notify such additional residents as expediently as possible
- If social security numbers are impacted by the Security Breach, covered entities must provide twenty-four (24) months of free identity theft prevention and mitigation services to affected residents
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen or accessed by an unauthorized individual is secured by encryption or by any other method or technology that renders it unreadable or unusable.
Any covered entity that maintains and complies with its own security breach procedures that are consistent with the Connecticut timing requirements is deemed in compliance with Connecticut statute provided such covered entity notifies the Attorney General.
Any covered entity that maintains its own security breach procedures pursuant to the rules, regulations, procedures or guidelines established by the primary or functional regulator is deemed in compliance with the Connecticut statute provided such person notifies victims of a security breach and notifies the Attorney General.
Covered entities subject to HIPAA and HITECH shall be deemed to be in compliance with the statute, provided that the covered entity shall also provide notice to the Attorney General not later than the time when notice is provided to residents where required.
Notification to Regulator / Waiver
Attorney general must be notified not later than time notice is provided to residents.
A determination of no likelihood of harm:
Notification not required if determination of no likelihood of harm.
Failure to comply with statute constitutes an unfair trade practice.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute (See Conn. Gen. Stat. §36a-701b).
[For specific rules applicable to state agencies and contractors providing goods and services to a state agency – click here.]