Connecticut Expands Data Breach Notification Requirements And Establishes A Cybersecurity “Safe Harbor” – Technology

On June 16 and July 6, 2021, Connecticut Governor Ned Lamont
signed two new cybersecurity laws that continue the national trend
of expanding cyber incident disclosure obligations, shortening
notification timelines, and incentivizing the implementation of
recognized cybersecurity standards. Both laws take effect on
October 1, 2021.

“An Act Concerning Data Privacy Breaches” Amends
Connecticut’s Existing Data Breach Law

The amended data breach law includes three key changes:

• The time businesses have to notify affected Connecticut
  residents and the Office of the Attorney General of a data breach
  has been shortened from 90 days to no later than 60 days after
  discovery of the breach;




• If notice cannot be effected within the new 60-day window, a
  novel and significant amendment requires companies to provide
  preliminary substitute notice to individuals, and follow up with
  direct notice as soon as possible; and




• The law significantly expands the definition of “personal
  information” that may trigger notification obligations to
  include an IRS identity protection personal identification number,
  certain medical information, biometric information, a user name or
  email address in combination with a password or security question
  and answer (regardless of whether or not the individual’s name
  is accessed in combination with it), and a number of other data
  elements commonly included in other states’ data breach notice
  laws.

“An Act Incentivizing the Adoption of Cybersecurity
Standards for Businesses” Establishes a Cybersecurity
“Safe Harbor” Statute

The new law will establish…