CONNECTICUT
FINES & PENALTIES
Violations
Civil penalties up to $5,000
BREACH NOTIFICATION
Mandated Timeframe
Within 60 days
BREACH REPORTING
Breach notification to the Attorney General must be completed no later than consumer notifications. If a breach of security includes individuals’ Social Security numbers, the Organization must provide all affected individuals with at least 24 months of identity theft prevention or mitigation services at no cost to the individuals. The Organization will be responsible to complete any necessary regulatory reporting and consumer notification. Effective 10/1/2021, businesses may have affirmative defenses to certain causes of action arising out of a data breach by having a written cybersecurity program that conforms with an industry-recognized framework.
CONSUMER NOTIFICATION
Connecticut residents affected by a breach of security must be notified without delay, but no later than 60 days after the discovery of the breach. If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside. Effective October 21, 2021, if additional affected residents are discovered after the 60-day notice deadline, those residents must be notified as soon as expediently possible.
FINES & PENALTIES
Organizations may be fined or penalized for willful violations of compliance failures resulting in penalties up to $500,000 per violation.
INDUSTRY SPECIFIC LAWS
Sector-specific laws (insurance, education, health) require entities to have policies, procedures, and security programs in place for the protection of personal information, with requirements such as employee training, vendor contracting, vendor management, and an individual’s right to access their personal information. Connecticut passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches of security. Effective October 1, 2020 licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.
PRIVACY PROGRAM
Organizations can defend against civil liability from certain causes of actions arising out of a data breach by having a written cybersecurity program that conforms with an industry recognized framework. Organizations in possession of personal information must have measures in place to safeguard personal information, including measures for secure disposal. Heightened protection and handling requirements apply to the collection of Social Security numbers and military identification information, including an Organization’s obligation for a privacy protection policy.