Connecticut Incident Response Guidelines

What you need to know to prepare your organization for Connecticut’s new data breach laws

Connecticut incident response guidelines

Connecticut introduced two new data breach laws in June and July 2021:

  • An Act Concerning Data Privacy Breaches: Updates the state law on data privacy breaches by expanding the types of protected information, reducing the timeframe for incident response, and detailing applicability of the law.
  • An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses: Provides protection against punitive damages related to a data breach for organizations that maintain a documented cybersecurity program based on industry standards.

Notably, these laws break the mold compared to what other US states and countries have recently introduced when it comes to data breach regulations. They are among the most business-friendly data breach regulations worldwide, as neither law gives consumers specific rights (such as the rights to access, correct, delete, and opt out) and they provide safe harbor protection for compliant businesses.

Automate Connecticut regulations with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response

Who Must Comply with Connecticut’s Data Breach Laws?

Connecticut’s Act Concerning Data Privacy Breaches covers compliance, requiring any business “who owns, licenses, or maintains computerized data that includes ‘personal information’” on Connecticut residents to comply with the regulations.

Organizations in compliance with the Health Insurance Portability and Accountability Act (HIPAA) or the Health Information Technology for Economic and Clinical Health Act (HITECH) can adhere to those regulations’ breach notification requirements and simply need to include the State Attorney General in any cases involving Connecticut residents.

What types of data are considered “personal information” under Connecticut’s law?

Connecticut’s new law expands the definition of personal information to include (1) a username or email address in combination with a password or security question and (2) a person’s first name or first initial and last name in combination with one of the following:

  • Social security numbers
  • Driver’s license number
  • State identification card number
  • Credit or debit card number
  • Financial account number in combination with any required security code or password
  • Passport number, military identification number, or other government identification numbers commonly used to verify identity
  • Taxpayer identification number or identity protection personal identification number issued by the Internal Revenue Service
  • Information regarding medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional
  • Health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual
  • Biometric information used to authenticate or determine identity, such as a fingerprint, voice print, retina, or iris image

How Do Connecticut’s Data Breach Laws Get Enforced?

Connecticut’s Act Incentivizing the Adoption of Cybersecurity Standards for Businesses covers enforcement and encourages compliance by protecting organizations from punitive damages if they meet certain cybersecurity standards.

How Does the Safe Harbor Protection Work?

Organizations that create, maintain, and comply with a written cybersecurity program that contains “administrative, technical, and physical safeguards for the protection of personal or restricted information,” are protected against punitive damages in the case of a data breach (except in cases of gross negligence or willful misconduct).

What if Organizations Don’t Qualify for Protection?

Organizations that don’t have a written cybersecurity program based on an accepted framework can face actual and punitive damages, costs, attorneys fees, and civil penalties. For larger breaches, most state attorney generals partake in a multi-state settlement that ranges from tens of millions to hundreds of millions of dollars.

What Security Frameworks Qualify Organizations for Protection?

An organization’s cybersecurity program must be based on one of the following industry-recognized frameworks to qualify for Connecticut’s safe harbor protection:

  • Framework for Improving Critical Infrastructure Cybersecurity from the National Institute for Standards and Technology
  • NIST special publications 800-171 or 800-53 and 800-53a
  • Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework
  • Center for Internet Security controls
  • ISO 27000 series
  • Title V of the Gramm-Leach-Bliley Act
  • Federal Information Security Modernization Act

*Organizations subject to Payment Card Industry Data Security Standards (PCI-DSS) must comply with one of the frameworks listed above as well as the current version of PCI-DSS to qualify for the protection. This includes a 6 month grace period to comply with revisions.

What Incident Response Measures Does Connecticut Require?

Connecticut requires organizations to investigate any potential data breach. They only need to issue a notification if the investigation indicates the breach could result in harm to the affected Connecticut residents.

Who to notifyAll affected Connecticut residents and the State Attorney General.
How to issue the notificationIn writing, by telephone, or via email.
Qualifications for a substitute notificationIf issuing the notification would exceed $250,000, if the incident affected more than 500,000 Connecticut residents, or if the organization doesn’t have sufficient contact information for affected individuals.
How to issue a substitute notificationEmail affected residents (if the organization has sufficient contact information), add a conspicuous posting on the company website (if one exists), and notify major statewide media (including newspapers, radios, and television stations)
When to issue the notificationWithin 60 days of discovering the breach, even if an investigation is not complete (down from 90 days under the previous state law). If organizations identify additional Connecticut residents affected by the incident after the 60 days, they must notify them “as expediently as possible.”

The notification to affected Connecticut residents should include:

  • Name and contact information of the person at the organization reporting the breach
  • Name and address of the organization and indication about the type of business
  • General description of the breach, including the date(s) of the breach, when it was discovered, and any remedial steps taken in response
  • A detailed list of the categories of personal information affected
  • *If the breach involved social security numbers or taxpayer identification numbers: An offer for a minimum of 24 months of identity theft prevention services (and identity theft mitigation services if applicable) at no cost to affected consumers, all necessary information to enroll in the services, and details on how to place a freeze on their credit file

The notification to the State Attorney General should also include:

  • The number of Connecticut residents affected by the breach
  • The date(s) the notification was or will be sent to affected Connecticut residents
  • A template copy of the notification sent to affected Connecticut residents
  • Whether credit monitoring or identity theft protection services has been or will be offered, as well as a description and length of such services
  • Whether the notification was delayed due to a law enforcement investigation (if applicable)

If the incident compromised username or email in combination with a password or security question and answer, organizations must prompt users to change their login credentials and can not send the notification to the email address involved in the breach unless they can reasonably verify the correct person received the notice.

Importantly, information organizations provide in response to an investigation connected to a data breach will be exempt from public disclosure under Connecticut’s Freedom of Information law. However, the attorney general does have the authority to share this information with third parties as needed throughout the investigation.

What Types of Privacy Incidents Can Trigger a Notification?

The expanded definition of personal information in Connecticut’s Act Concerning Data Privacy Breaches leads to more potential incidents that can trigger the need to issue a notification. Examples of commonly encountered incidents include:


Data Theft

When attackers gain unauthorized access to data and transfer it to their own devices or servers.


Ransomware Attack

When malware gets installed on a computer that can steal information and hold it ransom in exchange for money.

watering hole

Watering Hole Attack

When attackers profile what websites their target victims are likely to visit and infect those websites to gain access to their computers or network.


Phishing Attack

When users get fooled into clicking on a fake link or responding to a fake email that looks real and expose sensitive information, like login credentials.

Phishing malware or trojan

Drive-by Download Attack

When a malicious program gets installed on a computer that makes it vulnerable to cyberattack, like spying on user activity or stealing data.


Exposed Digital Records

When digital records get shared improperly, for example by sharing an unencrypted version of data or sending data to the wrong person.

The Importance of Proactive Incident Response for Connecticut

Connecticut’s data breach laws make proactive preparation for incident response essential, as this proactive planning can help organizations achieve safe harbor protection in the case of a breach and meet the state’s shortened time frame for incident notifications.

This preparation must also remain an ongoing effort so that organizations can keep track of any changes to requirements (such as how Connecticut expanded the definition of personal information and shortened the incident response timeline) in order to remain compliant going forward.

Supercharge your incident response strategy with the BreachRx platform

Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.