Connecticut Expands Data Breach Notification Requirements And Establishes A Cybersecurity “Safe Harbor” – Technology
United States:
Connecticut Expands Data Breach Notification Requirements And Establishes A Cybersecurity “Safe Harbor”
To print this article, all you need is to be registered or login on Mondaq.com.
On June 16 and July 6, 2021, Connecticut Governor Ned Lamont
signed two new cybersecurity laws that continue the national trend
of expanding cyber incident disclosure obligations, shortening
notification timelines, and incentivizing the implementation of
recognized cybersecurity standards. Both laws take effect on
October 1, 2021.
“An Act Concerning Data Privacy Breaches” Amends
Connecticut’s Existing Data Breach Law
The amended data breach law includes three key changes:
- The time businesses have to notify affected Connecticut
residents and the Office of the Attorney General of a data breach
has been shortened from 90 days to no later than 60 days after
discovery of the breach; - If notice cannot be effected within the new 60-day window, a
novel and significant amendment requires companies to provide
preliminary substitute notice to individuals, and follow up with
direct notice as soon as possible; and - The law significantly expands the definition of “personal
information” that may trigger notification obligations to
include an IRS identity protection personal identification number,
certain medical information, biometric information, a user name or
email address in combination with a password or security question
and answer (regardless of whether or not the individual’s name
is accessed in combination with it), and a number of other data
elements commonly included in other states’ data breach notice
laws.
“An Act Incentivizing the Adoption of Cybersecurity
Standards for Businesses” Establishes a Cybersecurity
“Safe Harbor” Statute
The new law will establish…