On June 16 and July 6, 2021, Connecticut Gov. Ned Lamont signed into law two new cybersecurity bills that keep Connecticut in line with the national trend of expanding cyber incident disclosure obligations, shortening notification timelines, and incentivizing the implementation of recognized cybersecurity standards. Both laws take effect on October 1, 2021.
The first law, “An Act Concerning Data Privacy Breaches,” amends Connecticut's existing data breach law in a number of important ways, among them:
- The law significantly expands the definition of "personal information" that may trigger notification obligations to include: (i) a taxpayer identification number; (ii) identity protection personal identification number issued by IRS; (iii) passport number; (iv) certain medical information, biometric information, a user name or email address in combination with a password or security question and answer (regardless of whether or not the individual's name is accessed in combination with it), and a number of other data elements commonly included in other states' data breach notice laws.
- The law significantly shortens the time businesses have to notify affected Connecticut residents and the Office of the Attorney General of a data breach from 90 days to no later than 60 days after discovery of the breach and if notice cannot be effected within the new 60-day window, a novel and significant amendment requires companies to provide preliminary substitute notice to individuals, and follow up with direct notice as soon as possible.
- In the event of a login credential breach, the law requires that notice to affected residents be provided in electronic or other form that directs the resident whose personal information was breached or is reasonably believed to have been breached to promptly change any password or security question and answer, as applicable, or to take other appropriate steps to protect the affected online account and all other online accounts for which the resident uses the same user name or electronic mail address and password or security question and answer. As with similar statutes, if the user’s email address is breached, notice may not be given pursuant to email.
- Any person subject to and in compliance with HIPAA and/or the HITECH Act privacy and security obligations is deemed in compliance of the new law with a couple of critical exceptions. First, as under New York’s SHIELD Act, a person subject to HIPAA or HITECH that is required to notify Connecticut residents of a data breach under HITECH still must notify Connecticut’s Attorney General at the same time residents are notified. Second, if the person would have been required to provide identity theft prevention and/or mitigation services under Connecticut law, which is for a period of 24 months, that requirement remains.
- Lastly, the law provides that all documents, materials and information provided in response to an investigative demand shall be exempt from public disclosure, provided the Attorney General may make such documents, materials or information available to third parties in furtherance of such investigation.
The second law, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses,” establishes a Cybersecurity ‘Safe Harbor’ statute.
The new law will establish an affirmative defense against tort claims alleging that a business's failure to implement reasonable cybersecurity controls caused a data breach. Businesses that have created, maintained, and complied with a written cybersecurity program can take advantage of this "safe harbor" if their written cybersecurity program complies with one or more of the industry-recognized frameworks (such as NIST SP 800-171, NIST SP 800-53, and the ISO/IEC 27000-series) or applicable federal laws (such as the cybersecurity requirements of the Health Insurance Portability and Accountability Act).
Connecticut is the third state, after Ohio and Utah, to enact a cybersecurity safe harbor statute.
The new laws take effect on October 1, 2021. Companies impacted by these new laws should consider the potential impact on their current policies and procedures. If you have any questions, please contact Michael P. O'Mullan at momullan@riker.com, Labinot Alexander Berlajolli at lberlajolli@riker.com, Robert N. Holup at rholup@riker.com, or any other attorney in Riker Danzig’s Cybersecurity & Data Privacy practice.