Signed by Governor Ned Lamont

Vote Smart's Synopsis:

Vote to pass a bill that expands the data privacy breach notification statute to protect consumers.

Highlights:

• Specifies if the person identifies additional residents of this state whose personal information was breached or reasonably believed to have been breached following 60 days after the discovery of such breach, the person will proceed in good faith to notify such additional residents as expediently as possible (Sec. 1.b-1).

• Establishes a substitute notice will consist of the following (Sec. 1-2.e):

• Electronic mail notice when the person has an electronic mail address for the affected persons;

• Conspicuous posting of the notice on the website of the person if the person maintains one; and

• Notification to major statewide media, including newspapers, radio, and television.

• Specifies in the event of a breach of login credentials, notice to a resident may be provided in electronic or another form that directs the resident whose personal information was breached or is reasonably believed to have been breached to promptly change any password or security question and answer, as applicable, or to take other appropriate steps to protect the affected online account and all other online accounts for which the resident uses the same user name or electronic mail address and password or security question and answer (Sec. 1-2.f-1).

• Prohibits any person that furnishes an electronic mail account from complying with this law by providing notification to the electronic mail account that was breached or reasonably believed to have been breached if the person cannot reasonably verify the affected resident's receipt of such notification (Sec. 1-2.f-2).

• Establishes any person that maintains such person's own security breach procedures as part of an information security policy for the treatment of personal information and otherwise complies with the timing requirements of this section, shall be deemed to be in compliance with the security breach notification requirements of this section, provided such person notifies, as applicable, residents of this state, owners, and licensees in accordance with such person's policies in the event of a breach of security and in the case of notice to a resident, such person also notifies the Attorney General not later than the time when notice is provided to the resident (Sec. 1-2.g).

• Establishes any person that is subject to and in compliance with the privacy and security standards under HIPAA and the HITECH will be deemed to be in compliance with this section, provided that any person required to provide notification to Connecticut residents according to HITECH will also provide notice to the Attorney General not later than the time when notice is provided to such residents if notification to the Attorney General would otherwise be required (Sec. 1-2.h).

• Exempts all documents, materials, and information provided in response to an investigative demand issued in connection with the investigation of a breach of security from public disclosure, provided the Attorney General can make such documents, materials, or information available to third parties in furtherance of such investigation (Sec. 1-2.i).

Full Bill Text