Connecticut state law requires any person who conducts business in the state and experiences a breach of security involving computerized data to provide notice to the Office of the Attorney General in addition to state residents who may be affected.
Anyone who conducts business in Connecticut and who– in the ordinary course of business– owns, licenses or maintains computerized data that includes personal information is required to disclose a security breach to state residents whose personal information is believed to have been compromised. Notice to consumers must be made without unreasonable delay but not later than ninety days from discovery of the breach.
The details of Connecticut’s reporting requirements are outlined in Connecticut General Statutes § 36a-701b.
Business owners must also notify the Office of the Attorney General, no later than when the affected residents are notified, according to the law. Failure to provide such notice may be considered a violation of the Connecticut Unfair Trade Practices Act (CUTPA).
To assist business owners in complying with this requirement, the Office of the Attorney General has a dedicated email address for reporting: ag.breach@ct.gov.
To simplify the process and minimize the need for the Office of the Attorney General to request additional information, business owners are asked to include the following in any breach notification:
-
A general description of the breach, including the date(s) of the breach, when and how the breach was discovered, and any remedial steps taken in response to the breach.
-
The number of Connecticut residents affected by the breach.
-
A detailed list of the categories of personal information subject of the breach.
-
The date(s) that notification was/ will be sent to the affected Connecticut residents.
-
A template copy of the notification sent to the affected Connecticut residents.
The name and contact information of person reporting the breach, and name and address of the business that experienced the breach, along with the type of business should also be provided.
The office should also be informed as to whether credit monitoring or identity theft protection services has been or will be offered to affected Connecticut residents, as well as a description and length of such services. As of October 2018, the required minimum length of credit monitoring is 24 months.
The legislation is Public Act 21-119, An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses goes into effect on October 1, 2021.
According to a 2018 CBIA survey, nearly one-quarter of Connecticut businesses experienced a data breach or cyberattack in the previous two years. And 90% of those were small businesses with less than 100 employees.