Information Security and Privacy Update, September 2012
September 25, 2012
Connecticut Law Update
As of October 1, 2012, Data Security Breaches MUST be reported to the State Attorney General's Office
Since 2006, Connecticut law has required businesses that store personal information in an electronic format to disclose any “security breach” of that information to state residents whose personal information has been, or is reasonably believed to have been, compromised. Under CGS Section 36a-701b, the term “security breach” means unauthorized access to or unauthorized acquisition of electronic or other computer data files, media or data containing defined categories of “personal information” about the customers of the business. Personal information includes a person’s name plus any of the following: (1) Social Security number; (2) driver’s license or state identification card number; or (3) account, credit or debit card number with PIN/password.
The law also applies to any person that maintains computerized data with personal information he or she does not own.
Failure to provide the notices required by law constitutes a violation of the Connecticut Unfair Trade Practices Act (CUTPA). Under CUTPA, a successful plaintiff can potentially recover compensatory damages, punitive damages, and attorneys’ fees.
Effective October 1, 2012, the security breach statute has been amended to require that any business or person with a reporting obligation under the statute provide notice of the security breach not only to the affected state residents, as before, but also to the Connecticut Attorney General. They must notify the Attorney General at or before the time they notify the affected residents. The failure to do so will constitute a separate violation of CUTPA.
On September 18, 2012, Attorney General George Jepsen announced that his office will establish a dedicated email address for companies to use when reporting a breach. The new email address, firstname.lastname@example.org, will be monitored by the Attorney General’s Privacy Task Force. A link to the email address and a Web page detailing the new law’s requirements will go live on the Attorney General’s website, www.ct.gov/ag, when the law takes effect October 1.
If you need help complying with the requirements of the security breach statute, please contact:
If you would like any additional information about legal obligations or practice tips relating to sensitive, personal or confidential information, please contact any of the attorneys in our Information Security and Privacy Practice Group.
If you would like a printable version of this client alert, please click on the pdf below.