Connecticut Amends its Facts Breach Notification Law to Enrich Defense and Incentivize Cybersecurity | Clark Hill PLC

Connecticut has enacted two legislation, equally efficient on Oct. 1, that boost the security of personal data and incentivize cybersecurity beneath its data breach notification regulation. The first, General public Act No. 21-59, which amends Connecticut’s existing facts breach notification legislation, expands the definition of secured “personal details,” cuts down the most time for needed notifications, and offers for a “safe harbor” for compliance with other breach detect prerequisites. The other, Community Act No. 21-119, incentivizes the adoption of cybersecurity standards by delivering safety against punitive damages for coated persons that comply with stated cybersecurity legal guidelines and requirements. While Connecticut was not productive in passing a detailed privateness law identical to those handed in California, Colorado, and Virginia, it did make these modifications. This is a summary of the two Acts, but readers ought to evaluation the unique particulars.

Beforehand, Connecticut’s definition of “personal information” was constrained and integrated a lot more regular data components such as Social Stability quantities, driver’s license and state identification figures, credit history or debit card figures, and a financial account variety in mix with facts that would allow entry to the financial account. Public Act No. 21-59 expands the definition of “personal information” in the current breach notification law to increase facts like:

  • Clinical, health and fitness insurance plan, or subscriber info,
  • Person taxpayer identification figures and personal identification numbers,
  • Passport numbers or other federal government identification figures,
  • Biometric facts, and
  • User names or e mail addresses, in blend with a password or stability query and answer that would permit obtain to an on the web account.

The legislation carries on to supply that needed notice should be specified “without unreasonable delay,” but reduces the utmost time from 90 times to 60 days. It incorporates a prerequisite for discover in 60 times to all perhaps impacted people today if the impacted people today simply cannot be discovered. Interestingly, the legislation does permit see to supplemental Connecticut residents if they are identified right after the 60-day, delivered this kind of see is manufactured as “expediently as possible.”

This Act also presents a “safe harbor” for a included man or woman “that is topic to and in compliance with the privateness and protection specifications under” the Health Insurance plan Portability and Accountability Act of 1996 (“HIPAA”) and the Wellness Information Technological know-how for Economic and Scientific Well being Act (“HITECH”). It also provides that any individual expected to deliver notification to Connecticut inhabitants pursuant to HIPAA/HITECH ought to also deliver notice to the Connecticut Attorney Standard.

Community Regulation 21-119 incentivizes cybersecurity by providing protection in opposition to punitive damages for included folks that comply with shown cybersecurity legal guidelines and standards. The defense is constrained for the reason that it only covers punitive damages. It applies to a lined entity that has “created, preserved and complied with a created cybersecurity method that contains administrative, technical and actual physical safeguards for the safety of private or restricted information and that conforms to [a listed] marketplace-identified cybersecurity framework.” The listing contains specified frameworks published by the Countrywide Institute of Benchmarks and Technological innovation (NIST), the Middle for Web Protection (CIS), the ICO/IEC (27000 specifications), and the Payment Card Business (PCI) Safety Expectations Council and, exactly where relevant, cybersecurity laws less than HIPAA/HITECH, the Federal Possibility Administration Software (FedRAMP), or the Gramm-Leach-Bliley Act.

It is crucial for corporations that individual, license, or keep coated data about Connecticut residents to recognize these amendments and to incorporate them into their cybersecurity and privacy insurance policies and incident response ideas.