Connecticut Expands Data Breach Notification Requirements and Establishes a Cybersecurity "Safe Harbor"
Connecticut has become the third state to enact a cybersecurity safe harbor statute.
On June 16 and July 6, 2021, Connecticut Governor Ned Lamont signed two new cybersecurity laws that continue the national trend of expanding cyber incident disclosure obligations, shortening notification timelines, and incentivizing the implementation of recognized cybersecurity standards. Both laws take effect on October 1, 2021.
"An Act Concerning Data Privacy Breaches" Amends Connecticut's Existing Data Breach Law
The amended data breach law includes three key changes:
- The time businesses have to notify affected Connecticut residents and the Office of the Attorney General of a data breach has been shortened from 90 days to no later than 60 days after discovery of the breach;
- If notice cannot be effected within the new 60-day window, a novel and significant amendment requires companies to provide preliminary substitute notice to individuals, and follow up with direct notice as soon as possible; and
- The law significantly expands the definition of "personal information" that may trigger notification obligations to include an IRS identity protection personal identification number, certain medical information, biometric information, a user name or email address in combination with a password or security question and answer (regardless of whether or not the individual's name is accessed in combination with it), and a number of other data elements commonly included in other states' data breach notice laws.
"An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses" Establishes a Cybersecurity "Safe Harbor" Statute
The new law will establish an affirmative defense against tort claims alleging that a business's failure to implement reasonable cybersecurity controls caused a data breach. Businesses that have created, maintained, and complied with a written cybersecurity program can take advantage of this "safe harbor" if their written cybersecurity program complies with one or more of the industry-recognized frameworks (such as the National Institute of Standards and Technology's Cybersecurity Framework or the Center for Internet Security's Critical Security Controls) or applicable federal laws (such as the cybersecurity requirements of the Health Insurance Portability and Accountability Act).
Connecticut is the third state, after Ohio and Utah, to enact a cybersecurity safe harbor statute.