Click here to review text of state statute (see Conn. Gen. Stat. §36a-701b).
(For specific rules applicable to state agencies and contractors providing goods and services to a state agency – click here.)
[For specific rules applicable to the insurance industry effective October 2020 – click here [See §230].
Information Covered / Important Definitions
Personal information of Connecticut residents.
“Security Breach” means unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person who conducts business in Connecticut, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information.
[Connecticut has specific statutes which could apply to those engaged in the insurance business.]
Third party recipients:
If a covered entity maintains computerized data that includes personal information that the entity does not own, the entity must notify the owner or licensee of the information of any security breach immediately following discovery if the personal information was, or is reasonably believed to have been breached.
Notice Procedures & Timing / Other Obligations
Written, electronic or telephonic notice must be provided to any resident of Connecticut whose personal information was breached or is reasonably believed to have been breached without unreasonable delay but not later than ninety (90) days after the discovery of such breach unless a shorter time is required under federal law or a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
- Notice not required if the entity responsible for the data determines in consultation with federal, state and local law enforcement that there is no reasonable likelihood of harm to individuals whose information has been acquired and accessed.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen or accessed by an unauthorized individual is secured by encryption or by any other method or technology that renders it unreadable or unusable.
Any covered entity that maintains and complies with its own security breach procedures that are consistent with the Connecticut timing requirements is deemed in compliance with Connecticut statute provided such covered entity notifies the Attorney General.
Any covered entity that maintains its own security breach procedures pursuant to the rules, regulations, procedures or guidelines established by the primary or functional regulator is deemed in compliance with the Connecticut statute provided such person notifies victims of a security breach and notifies the Attorney General.
Notification to Regulator / Waiver
Attorney general must be notified not later than time notice is provided to residents.
A determination of no likelihood of harm:
Must be made in consultation with federal, state or local law enforcement.
Failure to comply with statute constitutes an unfair trade practice.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute (See Conn. Gen. Stat. §36a-701b).
[For specific rules applicable to state agencies and contractors providing goods and services to a state agency – click here.]