On June 16, 2021, the Connecticut General Assembly adopted an expanded version of Connecticut’s data breach notification statute (2021 CT H.B. 5310 (NS)). Through this expansion, Connecticut’s data breach notification statute will be updated, effective Oct. 1, 2021, to (1) broaden the definition of “personal information,” (2) shorten the amount of time within which businesses must notify Connecticut residents and the Office of the Attorney General of a data breach, (3) allow for email notice when login credentials are breached, (4) remove the requirement for law enforcement consultation when conducting a risk assessment, and (5) include a HIPAA/HITECH exemption.
What is most notable about Connecticut’s revised data breach notification statute is the omission of a particular provision from the final version of the statute. When the statute was originally introduced to the Connecticut legislature on Jan. 22, 2021, it included an unprecedented provision that would have required entities that suffered data breaches to provide “preliminary substitute notice” of the data breach if the entity was unable to identify and notify affected Connecticut residents within 60 days after the discovery of the incident. The preliminary substitute notice would have consisted of (1) email notice to all affected Connecticut residents whose email addresses were known to the entity; (2) conspicuous posting of the notice on the entity’s website; and (3) notification to major statewide media, including newspapers, radio and television. Even after providing “preliminary substitute notice” of an incident, the entity that suffered the breach would have had to then provide direct notice of the incident to affected Connecticut residents. The final version of the statute, however, does not include this preliminary substitute notice obligation.
Broadened Definition of ‘Personal Information’
Although it does not create a preliminary substitute notice obligation, Connecticut’s updated data breach notification statute does expand the definition of “personal information,” the unauthorized access/acquisition of which triggers a notification obligation.
Previously, the Connecticut data breach notification statute defined “personal information” to include the first name or first initial and last name in combination with Social Security number; driver’s license number or state identification number; credit card number; or financial account number in combination with a security code, access code or password that would permit access to the financial account.
Connecticut now defines “personal information,” however, to include both the aforementioned data elements as well as the following information:
- Taxpayer identification number.
- Identity protection personal identification number issued by the IRS.
- Passport number, military identification number or other identification number issued by the government that is commonly used to verify identity.
- Medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
- Health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual.
- Biometric information consisting of data generated by electronic measurements of an individual’s unique physical characteristics used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, or retina or iris image.
- Username or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
These additional data elements are consistent with those added to other states’ breach notification statutes in recent years.
Shortened Notification Deadline
Additionally, whereas Connecticut’s data breach notification statute previously required entities to notify affected Connecticut residents no later than 90 days after discovery of the breach, the amended statute reduces that time period to 60 days. If the entity is unable to identify all affected Connecticut residents within 60 days, it is required to notify the affected Connecticut residents that it can identify within the initial 60-day period and then notify the other Connecticut residents as expediently as possible.
Email Notice for Breach of Login Credentials
Connecticut’s expanded breach notification statute also dictates that notice may be provided to Connecticut residents via email when the breach involves unauthorized access to online login credentials. The notice must direct the recipient to promptly change the password/answer to security question for the compromised account and/or take other appropriate steps to protect the affected online account and all other online accounts for which the individual uses the same username or email address and the same password or security question and answer. This notice must not be provided to the email account that was breached or reasonably believed to have been breached unless the sender can reasonably verify the affected resident’s receipt of the notification.
Elimination of Law Enforcement Consultation Requirement for Risk Analysis
Connecticut’s updated data breach notification statute also removes the requirement to consult with relevant federal, state and local agencies responsible for law enforcement when conducting a risk assessment to determine if notification is required. The amended statute, instead of requiring consultation with these agencies, allows for a determination that notice is not required after an appropriate investigation is completed if an entity reasonably determines that the breach will not likely result in harm to the individuals whose personal information was acquired or accessed. This change will ease the burden on organizations conducting risk assessments and allow them to avoid circumstances under the existing law where it was necessary to contact law enforcement in cases where no law enforcement involvement was warranted.
Lastly, a person who is subject to and complies with the privacy and security standards under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) is deemed to be in compliance with the Connecticut data breach notification statute as long as they (1) provide notice to the attorney general, if required by the Connecticut data breach notification statute, no later than when notice is provided to Connecticut residents under HITECH and (2) offer notified Connecticut residents appropriate identity theft prevention services and identity theft mitigation services for up to 24 months, as required by the Connecticut data breach notification statute.
These amendments to Connecticut’s data breach notification statute broaden the types of personal information that trigger a notice requirement and require that Connecticut’s residents and the attorney general be notified sooner. But the amendments are also reasonable — the legislature (1) eliminated unnecessary provisions that increased burden in low-risk events, (2) avoided the more aggressive preliminary notice provisions contained in the draft bill, (3) added a limited exemption for HIPAA-covered entities and (4) resisted the trend to shorten the notice timing to 30 days or less. Still, this updated law is yet another reason that data owners and licensors of personal information should take care in the ways that they collect, handle and maintain personal information.