Connecticut has been in the forefront in protecting the personal information of its residents. In July 2010, in the first action by a state attorney general for violations of HIPAA since HITECH authorized state attorneys general to enforce HIPAA, a settlement was reached between HealthNet and the state of Connecticut – stemming from a May 2009 incident related to a lost computer disk containing the protected health and other private information of 1.5 million consumers nationwide. The incident affected nearly a half million Connecticut consumers. The settlement included HealthNet’s payment of $250,000 to the state representing statutory damages and HealthNet’s implementation of a corrective action plan.
Connecticut’s commitment to its residents’ personal privacy continued into 2011. In September of 2011, Connecticut Attorney General George Jepsen announced the creation of a privacy task force to focus on internet and data privacy concerns. Since its creation, the Attorney General’s office has publicly requested information from various entities, including the state Department of Labor, Central Connecticut State University, Wells Fargo, and Zappos, after receiving reports of security breaches affecting Connecticut residents. The requests for information have occurred without a statutory requirement for the notification of a security breach to the Attorney General’s office. Recently, however, Connecticut joined the ranks of states requiring notification to the Attorney General following a breach incident.
On June 12, 2012, at an end of term General Assembly special session, Connecticut updated its existing data breach notification statute, Conn. Gen Stat. 36a-701b. The update appears on page 162 of the Connecticut General Assembly’s June 12, 2012 Special Session Bill No. 6001, a 468 page house and senate budget bill. The updates to the statute are effective as of October 1, 2012.
The legislature, instead of amending the existing data breach notification statute, repealed the statute in full, replacing it with an amended version. The amended statute differs from the one it replaces as follows:
- “breach of security” is defined as the “unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable” (amended language is underlined);
- If notice of a breach of security is required, notice must also be provided to the Attorney General at a time no later than when notice is provided to a resident;
- the statute expressly states that the statute’s notification requirements are applicable only to the personal information of a “resident of this state.”
Personal information continues to be defined as an individual’s first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number; (2) driver’s license number or state identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account. Any violation of the statute continues to be considered an unfair trade practice under Connecticut’s Unfair Trade Practices Act, with the Attorney General retaining enforcement authority, and no private right of action.