Connecticut’s Brand New Data Breach Laws: A Fresh Approach

Connecticut has joined the handful of US states and countries worldwide introducing comprehensive data breach legislation. But Connecticut’s newest laws have a slightly different focus than other regulations we’ve seen to date.

In June and July 2021, Connecticut signed into law two bills that focus on privacy and cybersecurity. The first, An Act Concerning Data Privacy Breaches, updates the state law on data privacy breaches by expanding the types of protected information, reducing the timeframe for incident response, and detailing applicability of the law. The second, An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses, provides protection against punitive damages related to a data breach for organizations that maintain a documented cybersecurity program based on industry standards.

Among the many nuances that distinguish the pair of Connecticut laws, two of the most notable are the fact that neither law gives consumers specific rights (such as the rights to access, correct, delete, and opt out) and that they provide safe harbor protection for compliant businesses. Together, these factors make Connecticut’s privacy and cybersecurity legislation among the most business-friendly worldwide. 

Notably, the fact that organizations in compliance with all elements of the laws are protected from punitive damages in the case of a data or security breach makes adhering to these regulations particularly important.

Who Must Comply with Connecticut’s Data Breach Laws?

Connecticut’s Act Concerning Data Privacy Breaches outlines who must comply with the state’s data breach laws. It extends compliance to anyone “who owns, licenses, or maintains computerized data that includes ‘personal information’” on Connecticut residents. This means the law applies to any organization that might collect or process data on Connecticut residents, regardless of where the company itself is located. Importantly, the law only covers digital data records.

Since any organization that maintains personal information on Connecticut residents must comply, it’s critical to understand exactly what that covers. The law expands the definition of personal information from a 2005 state law to include (1) a username or email address in combination with a password or security question that would grant access to the account and (2) a person’s first name or first initial and last name in combination with one or more of the following:

• Social security number
• Driver’s license number
• State identification card number
• Credit or debit card number
• Financial account number in combination with any required security code, access code, or password that would grant access
• Passport number, military identification number, or other government identification numbers commonly used to verify identity
• Taxpayer identification number or identity protection personal identification number issued by the Internal Revenue Service
• Information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
• Health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual
• Biometric information used to authenticate or determine identity, such as a fingerprint, voice print, retina, or iris image

Additionally, the law creates an exception for organizations in compliance with the Health Insurance Portability and Accountability Act (HIPAA) or the Health Information Technology for Economic and Clinical Health Act (HITECH). Organizations complying with these laws can adhere to the breach notification requirements outlined in the federal regulations and should include the State Attorney General in any cases involving Connecticut residents.

How do Connecticut’s Data Breach Laws Get Enforced?

Connecticut’s Act Incentivizing the Adoption of Cybersecurity Standards for Businesses covers enforcement for the state’s data breach laws. Contrary to most privacy laws to date, which encourage compliance by issuing fines for breaches, Connecticut’s law encourages compliance by protecting organizations from punitive damages if they meet certain cybersecurity standards.

Specifically, if organizations create, maintain, and comply with a written cybersecurity program that contains “administrative, technical, and physical safeguards for the protection of personal or restricted information,” then they are protected against punitive damages in the case of a data breach (except in cases of gross negligence or willful misconduct). Organizations’ cybersecurity program must be based on one of the following industry-recognized frameworks to qualify for this safe harbor protection:

• Framework for Improving Critical Infrastructure Cybersecurity from the National Institute for Standards and Technology
• NIST special publications 800-171 or 800-53 and 800-53a
• Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework
• Center for Internet Security controls
• ISO 27000 series
• HIPAA or HITECH
• Title V of the Gramm-Leach-Bliley Act
• Federal Information Security Modernization Act

Any organization subject to Payment Card Industry Data Security Standards (PCI-DSS) must comply with one of the frameworks listed above as well as the current version of PCI-DSS to qualify for the protection. The state does give a six month grace period for organizations to comply with any revisions to PCI-DSS.

On the flip side, organizations that don’t have a written cybersecurity program based on one of these frameworks can face actual and punitive damages, costs, attorneys fees, and civil penalties. For larger breaches, most state attorney generals partake in a multi-state settlement that ranges from tens of millions to hundreds of millions of dollars.

What Incident Response does Connecticut’s Data Breach Laws Require?

Connecticut’s Act Concerning Data Privacy Breaches includes detailed guidelines for how organizations need to respond when an incident occurs. 

Importantly, if organizations lead a full investigation and determine there is no risk of harm for the consumers whose data was acquired or accessed, then they do not need to issue a notification. If the investigation does indicate the breach could result in harm to the affected Connecticut residents, then organizations must issue a notification based on the following requirements:

Who to Notify

Organizations that experience a breach involving personal information of Connecticut residents need to issue a notification about the incident to any affected residents as well as the State Attorney General.

When to Issue the Notification

This notification must go out within 60 days from the time the organization discovered the breach, even if an investigation is not complete. If organizations identify additional Connecticut residents affected by the incident after the 60 days, they must notify them “as expediently as possible.” The one exception to this timing is a delay in the case of an ongoing law enforcement investigation.

These timing requirements include two notable changes from Connecticut’s older law:

• Reducing the notification deadline from 90 days to 60 days
• Eliminating an extension to the notification deadline for ongoing investigations

What to Include in the Notification

Organizations can issue the notification in writing, by telephone, or via email. In any format, the notification to residents must include the following information:

• Name and contact information of the person at the organization reporting the breach
• Name and address of the organization and indication about the type of business
• General description of the breach, including the date(s) of the breach, when it was discovered, and any remedial steps taken in response
• A detailed list of the categories of personal information affected
• *If the breach involved social security numbers or taxpayer identification numbers: An offer for a minimum of 24 months of identity theft prevention services (and identity theft mitigation services if applicable) at no cost to affected consumers, as well as all the necessary information to enroll in the services and details on how to place a freeze on their credit file

The notification to the attorney general must also include:

• The number of Connecticut residents affected by the breach
• The date(s) the notification was or will be sent to affected Connecticut residents
• A template copy of the notification sent to affected Connecticut residents
• Whether credit monitoring or identity theft protection services has been or will be offered to affected Connecticut residents, as well as a description and length of such services
• Whether the notification was delayed due to a law enforcement investigation (if applicable)

If the breach involved a username or email address in combination with a password or security question/answer, the organization must also prompt users to change their login credentials. In these cases, they also can not send the notification to the email address involved in the breach unless they can reasonably verify the correct person received the notice. Instead, they should use another form of notification or alternate email address.

The organization can issue a substitute notice if issuing the notification would exceed $250,000, if the incident affected more than 500,000 Connecticut residents, or if the organization doesn’t have sufficient contact information for affected individuals. The substitute notice should include all of the following:

• Email notice to affected residents if the organization has the appropriate contact information
• Conspicuous posting on the company website if the organization has one
• Notice to major statewide media, including newspapers, radio, and television

Finally, any information organizations provide in response to an investigation connected to a data breach will be exempt from public disclosure under Connecticut’s Freedom of Information law. However, the attorney general does have the authority to share this information with third parties as needed throughout the investigation.

What Types of Privacy Incidents Can Trigger Notification in Connecticut?

The expanded definition of personal information in Connecticut’s Act Concerning Data Privacy Breaches leads to more potential incidents that can trigger the need to issue a notification. As a result, any organization that collects and processes data on Connecticut residents must pay close attention to the new types of data covered by this law. 

Examples of common incidents that would require a business to issue a data breach notification under the new laws include any of the following breaches that compromise personal information as newly defined by the state and create potential risk to consumers as a result:

• Data theft (e.g. exfiltration): When attackers gain unauthorized access to data and transfer it to their own devices or servers.
• Ransomware attack: When malware gets installed on a computer that can steal information and hold it ransom in exchange for money.
• Phishing attack: When users get fooled into clicking on a fake link or responding to a fake email that looks real and expose sensitive information, like login credentials.
• Drive-by download attack: When a malicious program gets installed on a computer (typically through a downloaded program) that makes it vulnerable to cyberattack, such as spying on user activity or stealing data.
• Watering hole attack: When attackers profile what websites their target victims are likely to visit and infect those websites to gain access to their computers or network.
• Exposed digital records: When digital records get shared improperly (even if it’s an accident), for example by sharing an unencrypted version of data or sending data to the wrong person.

How Can Organizations Prepare for Connecticut’s Data Breach Laws?

Given the safe harbor protection that Connecticut’s new Act Incentivizing the Adoption of Cybersecurity Standards for Businesses offers for organizations that meet certain requirements, no business can afford not to be prepared.

This preparation should start by assigning responsibility for cybersecurity within the organization. From there, the team responsible can determine the security framework that works best for the organization based on Connecticut’s list and then develop a written cybersecurity program accordingly.

Of course this is not a one-time exercise, as Connecticut requires organizations to not just create, but also maintain and comply with that program over time. Meeting this goal requires implementing practices based on the program and regularly revisiting it as security standards change.

In pursuit of that goal, organizations should consider three critical phases of incident response:

1) Readiness

The readiness phase is all about having a response plan in place that allows the organization to quickly and confidently respond when an incident does occur. This is especially important since Connecticut reduced the amount of time businesses have to issue an incident notification from 90 days to 60 days.

Readiness activities should start with reviewing state requirements as well as those in the cybersecurity framework the organization will follow plus any customer and partner contracts. Next, they should include outlining incident response plans based on those requirements and revisiting those requirements to stay up to date on changes.

2) Response

The response phase centers around an organization’s ability to actually put their plans in motion when an incident does occur. A big part of this response in Connecticut is being able to quickly investigate what happened and who was involved to be able to issue the proper and complete notification within the 60 day window.

Response activities should include gaining visibility into what happened (who was affected, when it happened, and what the risks are), issuing a breach notification with the complete information and to the proper people based on company protocols and state requirements, and jumping into remediation mode to fix the issue.

3) Ongoing Management

Finally, ongoing management helps ensure incident response remains a continued effort. This regular focus is particularly critical as state regulations get updated, contracts with customers and partners change, and cybersecurity frameworks evolve.

Ongoing management activities typically cover establishing a centralized dashboard where all reporting, monitoring, and response plans can live and making that dashboard accessible to all stakeholders to promote visibility and alignment with future policy changes.

Where Connecticut Breaks the Mold: Safe Harbor Protection and Clear Cybersecurity Measures

Digital privacy laws are popping up everywhere. While many of these laws draw inspiration from each other and, therefore, share a lot of similarities, Connecticut’s new laws break the mold in two notable ways.

First is Connecticut’s offer of safe harbor protection from punitive damages for any business that creates, maintains, and complies with a written cybersecurity program that meets certain standards. Other privacy regulations, such as GDPR and LGPD globally and CCPA/CPRA and CPA in the US, do place the responsibility of protecting consumer information on organizations, but they offer no protection for a business when something goes wrong — regardless of what kind of security measures they have in place.

Second is the fact that Connecticut goes so far as to define what an acceptable cybersecurity program looks like by listing a handful of industry-accepted frameworks with which organizations can choose to comply. In contrast, most other privacy regulations offer far more subjective guidance as to what level of responsibility organizations have to secure consumer data. Consider the following:

• Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD): Organizations must adopt “security, technical, and administrative measures to protect personal data” from unauthorized access, unlawful communication, and purposeful or accidental destruction, loss, and alteration.
• California Consumer Protection Act (CCPA)/California Privacy Rights Act (CPRA): Organizations must implement and maintain “reasonable security procedures.”
• Colorado Privacy Act (CPA): Security protocols should be “appropriate to the volume, scope, and nature of the personal data processed.”
• European Union’s General Data Protection Regulation (GDPR): Organizations must implement processes for regularly testing, assessing, and evaluating data security and the effectiveness of security measures, keep a record of any data breaches, and make themselves available for audits by the supervisory authority.
• Virginia’s Consumer Data Protection Act (CDPA): Organizations must introduce “reasonable administrative, technical, and physical data security practices” as well as data protection assessments to cover processing activities.

All of these security obligations are very open-ended, especially in contrast to Connecticut’s which provides organizations with a clear list of more than five well-documented security frameworks they can follow to be compliant with the law.

The Importance of Proactive Preparation for Incident Response

Connecticut’s new pair of privacy laws make proactive preparation for incident response even more important than ever for organizations that maintain data on state residents.

This type of proactive preparation can not only help organizations achieve safe harbor protection in the case of a breach, but it can also help them jump into response mode quickly to meet the state’s shortened time frame for incident notifications. 

Additionally, the new laws represent changes to what was already in place (for example by expanding the definition of personal information and shortening the incident response timeline), and those changes certainly won’t be the last. As requirements continue to change, keeping a proactive stance will be essential to remaining compliant.