In addition to recently passing a cybersecurity safe harbor law, Connecticut also updated its data breach notification law. Connecticut joins Texas in passing changes to breach notification requirements this year. There are three key changes included in this amendment.
- Expansion of the definition of “personal information”. Falling in line with many other states, the law now broadens “personal information” to also include (i) taxpayer identification number; (ii) IRS identity protection personal identification number, (iii) passport number, military ID or other government ID; (iv) certain medical information; (v) health insurance policy information; (vii) biometric information; and (viii) a user name or email address in combination with a password or security question and answer (regardless of whether or not the individual’s name is accessed in combination with it), in addition to the other existing elements.
- Shortened Notification Requirements. The time businesses have to notify affected Connecticut residents and the Office of the Attorney General of a data breach has been shortened from 90 days to no later than 60 days after discovery of the breach. Further, if notice cannot be made within the new 60-day window, companies are to provide preliminary substitute notice to individuals and follow up with direct notice as soon as possible.
- HIPAA/HITECH Exemption, Except for AG Notice. If notice is provided to Connecticut residents in compliance with HIPAA and HITECH, then the notice is deemed compliant with Connecticut requirements. However, notice must still be provided to the Connecticut Attorney General (no later than when notice is provided to residents).
Putting it Into Practice: Beginning October 1, companies who suffer a breach impacting Connecticut residents will want to keep in mind these changes. Namely, the expanded definition of personal information and shortened notification timelines.