Connecticut’s Data Privacy Act Joins the Growing Ranks of US Privacy Laws

Click here to listen to this article via the BreachRx Blogcast

In May 2022, Connecticut joined the ranks of California, Virginia, Colorado, and Utah by signing into law comprehensive privacy legislation. The new law, An Act Concerning Personal Data Privacy and Online Monitoring (CTDPA), will go into effect on July 1, 2023 (although a few provisions have an extended timeline).

This law gives Connecticut consumers the rights to access, delete, correct, and obtain a copy of their data as well as the right to opt out of certain data processing. Although the CTDPA grants these rights, it maintains a similar “business-friendly” nature to the Virginia and Utah laws – which stands in contrast to many other global privacy laws.

Regardless of how business-friendly the CTDPA may be, there are numerous important implications for companies that do business in Connecticut and serve residents in the state, making it important to understand what’s required under the new law to get in compliance.

Who Must Comply with the CTDPA

Any company that does business in Connecticut or whose products and services target Connecticut residents and meets the following requirements must comply with the CTDPA:

• Controls or processes personal data of 100,000 or more consumers annually, except for personal data used solely to complete a payment
• Derives over 25% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers

The CTDPA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable individual,” with exclusions for deidentified or publicly available information.

That said, it’s important to note that the law includes several organization and data-level exemptions.

• Exempt organization: The CTDPA does not apply to state and local government agencies, nonprofits, higher education institutions, certain national security associations, and organizations subject to HIPAA or the Gramm-Leach-Bliley Act.
• Exempt data: The CTDPA does not apply to personal data subject to the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, or the Airline Deregulation Act. It also does not apply to certain healthcare related information, employment related data (including job application data), emergency contact information, or data used to administer benefits.

How Connecticut Enforces the CTDPA

Connecticut’s attorney general is exclusively responsible for enforcing the CTDPA, as the law offers no private right to action. Enforcement protocols differ slightly as the law gets fully rolled out.

From July 1, 2023 to December 31, 2024, the attorney general must provide companies with a notice of alleged violations and a 60 day cure period before moving forward with any action. Starting January 1, 2025, the attorney general will have discretion over whether or not to allow for a cure period based on the violating organization’s number of violations, size and complexity, and nature and extent of data processing, as well as the likelihood of injury to the public, potential safety risks, and cause of the violation (e.g. human vs. technical error).

Any violations that are not cured (if given the opportunity) are subject to penalties under the Connecticut Unfair Trade Practices Act (CUTPA), which includes fines of up to $5,000 for willful violations, up to $25,000 for restraining order violations, and actual and punitive damages, costs, and reasonable attorneys’ fees.

Additionally, after the CTDPA goes into effect, the attorney general has until February 1, 2024 to submit a report to the Connecticut General Assembly detailing the number violations found, the nature of those violations, the number of violations cured, and any other relevant information.

Protection Measures Required by Companies Under the CTDPA

CTDPA outlines several obligations for companies that control or process data to help prevent incidents from occurring. These obligations include:

• Being transparent about what data is collected and the purpose for which it will be used
• Limiting data collection to only what’s necessary
• Not using data for secondary purposes than what was disclosed to consumers
• Not discriminating against consumers for exercising their rights under the law
• Allowing consumers to revoke their consent
• Obtaining opt-in consent before processing sensitive data (defined as personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health conditions, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data for identification, children’s data, and precise geolocation data)
• Establishing, implementing, and maintaining reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data
• Conducting a data protection assessment for any processing that presents a heightened risk of harm to consumers, including processing data for personal advertising, selling personal data, processing sensitive data, and processing personal data for profiling that could create a risk of unfair treatment, financial, physical, or reputational injury, or intrusion of privacy

Incident Response Measures Required Under the CTDPA

Serious security incidents require a response under Connecticut law, however these requirements are governed by a 2021 law – An Act Concerning Data Privacy Breaches – rather than the CTDPA itself.

What’s Considered a Security Breach

A security breach is any instance of unauthorized access or acquisition of computerized personal information, which includes a first name or initial and last name along with at least one of the following:

• Social security number
• Driver’s license or state identification card number
• Financial account number in combination with any required security code, access code, or password
• Credit or debit card number
• Individual taxpayer identification number
• Identity protection personal identification number issued by the IRS
• Passport, military identification, or other identification number issued by the government to verify identity
• Information about an individual’s medical history, mental or physical condition, or medical treatment or diagnosis
• Health insurance policy number, subscriber identification number, or any unique identifier from a health insurance company
• Biometric information, including electronic measurements of unique physical characteristics used to authenticate or identify an individual (e.g. fingerprint, voice print, retina, iris image)
• Username or email address in combination with a password or security question and answer

Who to Notify Following a Security Breach

Organizations that experience a security breach must notify affected consumers and the state attorney general.

When and How to Issue a Notification About a Security Breach

Organizations must issue a notification within 60 days of discovering the breach.

An older version of the law allowed for 90 days and enabled organizations to skip notifying individuals if an investigation revealed low likelihood of harm; however, the latest version of the law changes this and requires a notification in the shorter timeframe regardless of any investigative outcomes.

The notification must be issued through written, telephone, or electronic notice. Organizations can issue a substitute notice if using the first three methods would cost more than $250,000, the breach affected over 500,000 people, or there is insufficient contact information. Options for a substitute notice include email (however organizations can not issue a notification via email if the security breach may have compromised a user’s email account) or a clear and conspicuous notice online.

What to Include in Breach Notifications

There are no specific requirements for what should be included in breach notifications to consumers, except in two instances:

If the breach involved login credentials, the company must instruct users to promptly change their password and security questions and answers and to take other appropriate steps to protect any other accounts with the same login credentials.

If the breach involved social security or taxpayer identification numbers, the company must offer identity theft prevention services for at least 24 months.

Exceptions to Issuing a Notification

The only exception to issuing a notification in Connecticut is for organizations already in compliance with HIPAA and/or the HITECH Act. In these cases, organizations must still notify the Connecticut attorney general of any breach, however they only need to notify affected residents of the state in accordance with Connecticut law if the breach triggers the need to provide identity theft protection services.

Examples of Security Breaches that Require Notification in Connecticut

Any instance of unauthorized access or acquisition of personal computerized data can trigger Connecticut’s security breach notification requirement. Common examples include:

Zero-Day Attack

In a zero-day attack, hackers exploit a vulnerability in software – typically one that is unknown to the developer or is known and hasn’t been patched yet – to gain access to data, programs, and networks related to that software. This type of attack is challenging to detect and therefore tends to go on for an extended period of time.

Exfiltration

Most cyber attacks involve some sort of exfiltration, which is when hackers gain unauthorized access to data and move that information to their own devices or servers to then do with as they please.

Password Attack

In a password attack, hackers use social engineering, a password database, or basic guessing to obtain a legitimate user’s password and then use that password to enter any accounts associated with that password. By posing as a legitimate user, hackers can gain access to secure systems to view or acquire data.

How Organizations Can Prepare for Compliance with the CTDPA

Between Connecticut’s requirement for companies to implement and maintain reasonable security practices and the recent shortening of the security breach notification window from 90 days to 60 days, no organization can afford to not be prepared.

Specifically, companies should take a proactive approach to security and incident response by developing response plans, confirming stakeholder responsibilities, and coordinating workflows along the way. Doing this effectively requires preparing for three important phases of incident response:

Readiness

Readiness is all about making sure response plans are in place before they’re ever needed – that way the company can jump into action as quickly as possible following an incident. As notification timelines continue to shorten and the costs associated with breaches increase, the faster a company can respond, the better the outcomes will be. Automation is critical.

Important efforts during the readiness phase include reviewing requirements in relevant regulations and customer and partner contracts, documenting response plans for each regulation, assigning responsibility over key initiatives, and leading tabletop exercises to prepare stakeholders.

Response

Response focuses on what happens when an incident does occur, including investigating the breach, curing the issue, and issuing notifications as required. Organizations must ensure a complete response to stay in compliance with regulations like the CTDPA, not to mention that doing so can help bolster customer trust following an incident.

Important efforts during the response phase include investigating the incident (what happened, how and when it occurred, which systems and data were impacted, potential risks), fixing vulnerabilities to prevent the issue from persisting, issuing notifications based on regulatory requirements, and creating a safe haven for team communications related to all response efforts.

Ongoing Management

Ongoing management centers around making sure incident response preparation isn’t a one-and-done effort. It’s about revisiting response plans regularly to keep them up to date as regulations change or come about and looking for opportunities to improve security measures and response efficiency.

Important efforts during the ongoing management phase include introducing a centralized dashboard for reporting on incident response plans and keeping track of changes to regulations and contracts, keeping stakeholders aligned on their responsibilities and changes to plans, and identifying ways to strengthen response efforts by shoring up areas of weakness.

Where Connecticut Falls on the Spectrum of US Privacy Laws to Date

As comprehensive privacy legislation comes to more states across the US, it’s important to consider how these laws are both similar to and different from one another. With the five in place so far, a spectrum is emerging in terms of strictness. Here’s a look at where Connecticut falls on that spectrum:

Most Strict: California’s CCPA/CPRA

California’s privacy laws – the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) – represent the strictest in the US, making them more closely aligned to global laws like the EU’s GDPR than other laws in the US.

Some of what make California’s laws the strictest include:

• Single point of qualification for compliance (vs. two or three points)
• A private right to action
• Dedicated (and self-funded) enforcement agency
• Extremely specific requirements for issuing a notification

Moderate: Colorado’s CPA and Connecticut’s CTDPA

The Colorado Privacy Act (CPA) and the CTDPA have a lot of commonalities, and they fall in the middle of the road as far as US privacy legislation to date.

Similarities that put the CPA and CTDPA in the moderate camp include:

• Two points of qualification for compliance (vs. one or three points)
• No private right to action
• Exceptions for certain instances of selling data
• Explicit timeline for issuing breach notifications

Most Business-Friendly: Virginia’s CDPA and Utah’s UCPA

Finally, the Virginia Consumer Data Protection Act (CDPA) and the Utah Consumer Privacy Act (UCPA) are the most business-friendly of the US laws, and largely many privacy laws around the world.

Some of what makes Virginia and Utah’s laws so business-friendly include:

• Three points of qualification for compliance (for Utah only, Virginia has two)
• Right to opt out of certain instances of processing only
• Vague timeline for issuing breach notifications (simply “without unreasonable delay”)

Ensuring Proactive Incident Response Becomes a Priority

As cybersecurity incidents continue to increase in frequency and intensity, we can expect even more laws like the new CTDPA to crop up. Against this backdrop, companies must prioritize proactive incident response, because even with the best cybersecurity in place, incidents are now inevitable.

Getting proactive about incident response requires keeping updated as regulations evolve and new regulations come about (both of which are happening more often), developing ready-to-go response plans, assigning responsibilities among team members, preparing team members with simulations, and revisiting all of those initiatives on an ongoing basis to ensure readiness at all times.

When done effectively, this proactive approach to incident response can help companies stay in compliance and respond completely and quickly when incidents occur – helping to reduce costs and avoid penalties, better maintain customer trust, and recover faster.