Breach notification to the Attorney General must be completed no later than consumer notifications. If a breach of security includes individuals’ Social Security numbers, the Organization must provide all affected individuals with at least 24 months of identity theft prevention or mitigation services at no cost to the individuals. The Organization will be responsible to complete any necessary regulatory reporting and consumer notification. Effective 10/1/2021, businesses may have affirmative defenses to certain causes of action arising out of a data breach by having a written cybersecurity program that conforms with an industry-recognized framework.

Connecticut residents affected by a breach of security must be notified without delay, but no later than 60 days after the discovery of the breach. If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside. Effective October 21, 2021, if additional affected residents are discovered after the 60-day notice deadline, those residents must be notified as soon as expediently possible.

Organizations may be fined or penalized for willful violations of compliance failures resulting in penalties up to $500,000 per violation.

Sector-specific laws (insurance, education, health) require entities to have policies, procedures, and security programs in place for the protection of personal information, with requirements such as employee training, vendor contracting, vendor management, and an individual’s right to access their personal information. Connecticut passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches of security. Effective October 1, 2020 licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.

Organizations can defend against civil liability from certain causes of actions arising out of a data breach by having a written cybersecurity program that conforms with an industry recognized framework. Organizations in possession of personal information must have measures in place to safeguard personal information, including measures for secure disposal. Heightened protection and handling requirements apply to the collection of Social Security numbers and military identification information, including an Organization’s obligation for a privacy protection policy.