Connecticut Data Privacy Act
What you need to know about Connecticut’s comprehensive privacy law
In May 2022, Connecticut signed into law An Act Concerning Personal Data Privacy and Online Monitoring (CTDPA). This marks the first comprehensive privacy legislation in the northeastern US and will go into effect on July 1, 2023. Here’s what every company that does business in Connecticut or serves residents in the state needs to know to get in compliance.
Automate Connecticut regulations with the BreachRx platform
Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response
Who Must Comply with the CTDPA
Any company that does business in Connecticut or whose products and services target Connecticut residents and meets the following requirements is subject to the CTDPA:
- Controls or processes personal data of 100,000 or more consumers annually, except for personal data used solely to complete a payment
- Derives over 25% of gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers
The law does include exemptions for certain organizations and certain types of data:
- Exempt organizations: State and local governments, non-profits, higher education institutions, certain national security associations, and organizations subject to HIPAA or the Gramm-Leach-Bliley Act
- Exempt data: Data subject to specified federal regulations, healthcare related information, employment related data, emergency contact information, and data used to administer benefits
The CTDPA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable individual,” with exclusions for deidentified or publicly available information.
How does the CTDPA get enforced?
Connecticut’s attorney general is responsible for enforcing the CTDPA. Through 2024, the attorney general must provide companies with a notice of alleged violations and a 60 day cure period. Starting in 2025, the attorney general will have discretion over whether or not to offer a cure period.
What is the penalty for non-compliance?
Any uncured violations are subject to penalties under the Connecticut Unfair Trade Practices Act (CUTPA), which includes fines of up to $5,000 for willful violations, up to $25,000 for restraining order violations, and actual and punitive damages, costs, and reasonable attorneys’ fees.
What are required protection measures?
CTDPA outlines several obligations for companies to help prevent incidents from occurring, including establishing, implementing, and maintaining reasonable administrative, technical, and physical security practices and conducting a data protection assessment for any processing that presents a heightened risk of harm.
Incident Response Measures Required Under the CTDPA
Connecticut’s incident response requirements are governed by a 2021 law – An Act Concerning Data Privacy Breaches – rather than the CTDPA itself.
What is a security breach? | Any instance of unauthorized access or acquisition of computerized personal information. |
What is personal information? | A person’s first name or first initial and last name along with at least one of the following:
|
Who should be notified following a breach? | Affected consumers and the state attorney general. |
When should a notification be issued? | Within 60 days of discovering the breach. |
How should a notification be issued? | Through written, telephone, or electronic notice. A substitute notice is allowed if using the first three methods would cost more than $250,000, the breach affected over 500,000 people, or there is insufficient contact information. Options for a substitute notice include email (unless the breach compromised a user’s email account) or a clear and conspicuous notice online. |
What should be included in breach notifications? | There are only specific requirements for what to include in notifications in two instances:
|
What are the exceptions to issuing a notification? | If the company is already in compliance with HIPAA and/or the HITECH Act. These companies must still notify the Connecticut attorney general but only need to notify state residents if they need to provide identity theft protection services. |
Examples of Security Breaches that Require Notification in Connecticut
Common examples of security breaches that can trigger a notification in Connecticut include:
Data Theft
When threat actors gain access to sensitive or proprietary data and acquire it on their own systems or servers.
Phishing Attack
When users get fooled into clicking on a malicious link in an email that looks legitimate and exposes sensitive data, like login credentials or personal information.
Exposed Records
When electronic or computerized records get shared incorrectly, for example by when data is sent to the wrong recipient or accidentally left exposed in a cloud file share.
How Organizations Can Prepare for Compliance with the CTDPA
Connecticut’s requirement for companies to implement and maintain reasonable security practices and the 60 day security breach notification window mean no organization can afford to not be prepared. Specifically, companies should prepare for three phases of incident response:
Readiness
- Review requirements in relevant regulations and contracts
- Document response plans for each regulation
- Assign responsibility over key initiatives
- Lead tabletop exercises to prepare stakeholders
Response
- Investigate the incident (what, how, and when it happened, impacted systems and data, potential risks)
- Fix vulnerabilities to prevent recurrences
- Issue notifications based on requirements
- Create a safe haven for team communications related to response efforts
Ongoing Management
- Introduce a centralized dashboard for reporting on response plans and tracking changes to regulations
- Keep stakeholders aligned on their responsibilities
- Identify ways to strengthen response efforts by shoring up areas of weakness
Make Proactive Incident Response a Priority
Even with the best cybersecurity in place, incidents are now inevitable. As a result, every company must prioritize proactive incident response to stay in compliance with laws like the CTDPA. This proactivity requires keeping updated as regulations evolve, developing ready-to-go response plans, assigning responsibilities and preparing team members accordingly, and regularly revisiting those initiatives to ensure readiness. When done effectively, this proactive approach can not only help ensure compliance, but also reduce costs, better maintain customer trust, and recover faster.
Supercharge your incident response strategy with the BreachRx platform
Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.