Connecticut Data Privacy Act

What you need to know about Connecticut’s comprehensive privacy law

Connecticut incident response guidelines

In May 2022, Connecticut signed into law An Act Concerning Personal Data Privacy and Online Monitoring (CTDPA). This marks the first comprehensive privacy legislation in the northeastern US and will go into effect on July 1, 2023. Here’s what every company that does business in Connecticut or serves residents in the state needs to know to get in compliance.

Automate Connecticut regulations with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response

Who Must Comply with the CTDPA

Any company that does business in Connecticut or whose products and services target Connecticut residents and meets the following requirements is subject to the CTDPA:

  • Controls or processes personal data of 100,000 or more consumers annually, except for personal data used solely to complete a payment
  • Derives over 25% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers

The law does include exemptions for certain organizations and certain types of data:

  • Exempt organizations: State and local governments, non-profits, higher education institutions, certain national security associations, and organizations subject to HIPAA or the Gramm-Leach-Bliley Act
  • Exempt data: Data subject to specified federal regulations, healthcare related information, employment related data, emergency contact information, and data used to administer benefits

The CTDPA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable individual,” with exclusions for deidentified or publicly available information.

How does the CTDPA get enforced?

Connecticut’s attorney general is responsible for enforcing the CTDPA. Through 2024, the attorney general must provide companies with a notice of alleged violations and a 60 day cure period. Starting in 2025, the attorney general will have discretion over whether or not to offer a cure period.

What is the penalty for non-compliance?

Any uncured violations are subject to penalties under the Connecticut Unfair Trade Practices Act (CUTPA), which includes fines of up to $5,000 for willful violations, up to $25,000 for restraining order violations, and actual and punitive damages, costs, and reasonable attorneys’ fees.

What are required protection measures?

CTDPA outlines several obligations for companies to help prevent incidents from occurring, including establishing, implementing, and maintaining reasonable administrative, technical, and physical security practices and conducting a data protection assessment for any processing that presents a heightened risk of harm.

Incident Response Measures Required Under the CTDPA

Connecticut’s incident response requirements are governed by a 2021 law – An Act Concerning Data Privacy Breaches – rather than the CTDPA itself.

What is a security breach?Any instance of unauthorized access or acquisition of computerized personal information.
What is personal information?A person’s first name or first initial and last name along with at least one of the following:

  • Social security number
  • Driver’s license or state identification card number
  • Financial account number in combination with any required security code, access code, or password
  • Credit or debit card number
  • Individual taxpayer identification number
  • Identity protection personal identification number issued by the IRS
  • Passport, military identification, or other identification number issued by the government to verify identity
  • Information about an individual’s medical history, mental or physical condition, or medical treatment or diagnosis
  • Health insurance policy number, subscriber identification number, or any unique identifier from a health insurance company
  • Biometric information, including electronic measurements of unique physical characteristics used to authenticate or identify an individual
  • Username or email address in combination with a password or security question and answer
Who should be notified following a breach?Affected consumers and the state attorney general.
When should a notification be issued?Within 60 days of discovering the breach.
How should a notification be issued?Through written, telephone, or electronic notice. A substitute notice is allowed if using the first three methods would cost more than $250,000, the breach affected over 500,000 people, or there is insufficient contact information. Options for a substitute notice include email (unless the breach compromised a user’s email account) or a clear and conspicuous notice online.
What should be included in breach notifications?There are only specific requirements for what to include in notifications in two instances:

  • If the breach involved login credentials: Instruct users to promptly change their password and security questions and answers and to take appropriate steps to protect other accounts with the same login credentials.
  • If the breach involved social security or taxpayer identification numbers: Offer identity theft prevention services for at least 24 months.
What are the exceptions to issuing a notification?If the company is already in compliance with HIPAA and/or the HITECH Act. These companies must still notify the Connecticut attorney general but only need to notify state residents if they need to provide identity theft protection services.

Examples of Security Breaches that Require Notification in Connecticut

Common examples of security breaches that can trigger a notification in Connecticut include:


Data Theft

When threat actors gain access to sensitive or proprietary data and acquire it on their own systems or servers.


Phishing Attack

When users get fooled into clicking on a malicious link in an email that looks legitimate and exposes sensitive data, like login credentials or personal information.


Exposed Records

When electronic or computerized records get shared incorrectly, for example by when data is sent to the wrong recipient or accidentally left exposed in a cloud file share.

How Organizations Can Prepare for Compliance with the CTDPA

Connecticut’s requirement for companies to implement and maintain reasonable security practices and the 60 day security breach notification window mean no organization can afford to not be prepared. Specifically, companies should prepare for three phases of incident response:


  • Review requirements in relevant regulations and contracts
  • Document response plans for each regulation
  • Assign responsibility over key initiatives
  • Lead tabletop exercises to prepare stakeholders


  • Investigate the incident (what, how, and when it happened, impacted systems and data, potential risks)
  • Fix vulnerabilities to prevent recurrences
  • Issue notifications based on requirements
  • Create a safe haven for team communications related to response efforts

Ongoing Management

  • Introduce a centralized dashboard for reporting on response plans and tracking changes to regulations
  • Keep stakeholders aligned on their responsibilities
  • Identify ways to strengthen response efforts by shoring up areas of weakness

Make Proactive Incident Response a Priority

Even with the best cybersecurity in place, incidents are now inevitable. As a result, every company must prioritize proactive incident response to stay in compliance with laws like the CTDPA. This proactivity requires keeping updated as regulations evolve, developing ready-to-go response plans, assigning responsibilities and preparing team members accordingly, and regularly revisiting those initiatives to ensure readiness. When done effectively, this proactive approach can not only help ensure compliance, but also reduce costs, better maintain customer trust, and recover faster.

Supercharge your incident response strategy with the BreachRx platform

Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.