The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statute
Covered Entities: Any person who owns, licenses, or maintains computerized data.
Consumer Notification: Notification must be provided to any Connecticut resident whose personal information was breached or is reasonably believed to have been breached.
Regulatory Notification: Notification must be provided to the Connecticut Attorney General not later than the time when notice is provided to a Connecticut resident.
Notification Timeline: Notification must be provided “without unreasonable delay but not later than 60 days after the discovery of such breach, unless a shorter time is required under federal law.”
Data Format: Electronic.
Citations: Conn. Gen. Stat. § 36a-701b
- Breach: Unauthorized access to or unauthorized acquisition of electronic files, media, databases, or computerized data, containing personal information.
- Personal Information (PI): First name or first initial and last name in combination with any one, or more, of the following data:
- Social Security number;
- taxpayer identification number;
- identity protection personal identification number issued by the Internal Revenue Service;
- driver's license number, state identification card number, passport number, military identification number or other identification number issued by the government that is commonly used to verify identity;
- credit or debit card number;
- financial account number in combination with any required security code, access code or password that would permit access to such financial account;
- medical information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
- health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual; or
- biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina, or iris image;
The definition also includes a username or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.
- Medical Information:
- Medical information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional
- Biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina, or iris image
- Health Insurance Information: Health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual
- Encryption: Notification is not required where the potentially impacted PI was secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.
- Good Faith: N/A
- Risk of Harm: Notification is not required if, after an appropriate investigation, the person reasonably determines that the breach will not likely result in harm to the individuals whose personal information has been acquired or accessed.
- Law Enforcement Delay: Notification may be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation and such law enforcement agency has made a request that the notification be delayed. Any such delayed notification shall be made after such law enforcement agency determines that notification will not compromise the criminal investigation and so notifies the person of such determination.
- Timing: Notification must be provided “without unreasonable delay but not later than 60 days after the discovery of such breach, unless a shorter time is required under federal law.”
- Format: N/A
- Content: The notification shall offer to each resident whose Social Security number or taxpayer identification number was breached or is reasonably believed to have been breached appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such service or services shall be provided at no cost to such resident for a period of not less than 24 months. The notice must provide all information necessary for such resident to enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident's credit file.
- Method: Notification may be done via 1) written notice; (2) telephone notice; or (3) electronic notice, provided such notice is consistent with ESIGN.
In the event of a breach of login credentials, notice may be provided in electronic or other form that directs the resident whose personal information was breached or is reasonably believed to have been breached to promptly change any password or security question and answer, as applicable, or to take other appropriate steps to protect the affected online account and all other online accounts for which the resident uses the same username or electronic mail address and password or security question and answer.
Any person that furnishes an electronic mail account shall not comply with this section by providing notification to the electronic mail account that was breached or reasonably believed to have been breached if the person cannot reasonably verify the affected resident's receipt of such notification. In such an event, the person shall provide notice by another method described in this section or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an Internet protocol address or online location from which the person knows the resident customarily accesses the account.
An entity may provide substitute notice, provided such person demonstrates that the cost of providing notice would exceed $250,000 that the affected class of subject persons to be notified exceeds 5,000 persons or that the person does not have sufficient contact information. Substitute notice shall consist of the following:
- Electronic mail notice when the person has an electronic mail address for the affected persons;
- conspicuous posting of the notice on the web site of the person if the person maintains one; and
- notification to major state-wide media, including newspapers, radio, and television.
The notification shall offer to each resident whose Social Security number or taxpayer identification number was breached or is reasonably believed to have been breached appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such service or services shall be provided at no cost to such resident for a period of not less than 24 months.
Notification must be provided to the Connecticut Attorney General not later than the time when notice is provided to a Connecticut resident.
Credit Reporting Agencies Notice:
Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following its discovery, if the personal information of a resident of this state was breached or is reasonably believed to have been breached.
Any person that is subject to and in compliance with the privacy and security standards under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act (“HITECH”) shall be deemed to be in compliance, provided that (1) any person required to provide notification to Connecticut residents pursuant to HITECH shall also provide notice to the Attorney General not later than the time when notice is provided to such residents if notification to the Attorney General would otherwise be required, and (2) the person otherwise complies with applicable requirements.
Comprehensive Data Privacy Law
Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)
Conn. Gen. Stat. Ann. §§ 42-515 to 42-525
Persons that conduct business in Connecticut or produce products or services targeted to Connecticut residents and, during the preceding calendar year, controlled or processed Personal Data of either at least:
- 100,000 consumers, excluding Personal Data processed or controlled solely for completing a payment transaction; or
- 25,000 consumers and derived more than 25% of their gross revenue from Personal Data sales.
Among other exclusions, the CTDPA excludes governmental entities, nonprofits , and educational institutions; employment-related data; Protected Health Information under HIPAA; and entities or data regulated by sector-specific laws such as in the health (HIPAA), finance (GLBA), or credit (FCRA) sectors, or that involve children (COPPA). It also does not apply when individuals act in a commercial (B2B) context.
Controllers. The CTDPA's Controller duties include obligations:
- Of transparency (i.e., a privacy notice).
- Of data minimization.
- Of purpose specification and limitation.
- To limit Personal Data use to purposes reasonably necessary to or compatible with the disclosed processing purpose unless the consumer consents to the secondary use.
- To use reasonable data security to protect the Personal Data's confidentiality, integrity, and accessibility.
- To obtain the consumer's consent before processing their sensitive data; and for consumers aged 13, 14, or 15, selling their Personal Data or using it for targeted advertising.
- To process children's sensitive data consistent with COPPA.
- To avoid unlawful discrimination when processing Personal Data.
- To provide equivalent and effective mechanisms for consumers to exercise their rights to revoke and grant consent and describe those mechanisms in a privacy notice. In establishing those mechanisms, the controller must consider the consumer’s normal interactions, the need for secure and reliable communication of such requests, and the ability of the controller to verify the consumer’s identity.
- To not discriminate (retaliate) when a consumer exercises rights, including by denying goods or services, charging different prices or rates, or providing a different level of quality, except as part of a voluntary, bona fide loyalty-type program.
- To act on and respond to a consumer's request to exercise their Personal Data rights.
- To ensure employees or contractors are under a contractual or statutory duty of confidentiality before granting access to consumer health data.
- To obtain the consumer's consent before selling or offering to sell their health data.
- To not use geofencing to create a virtual boundary within 1,750 feet of any mental health or reproductive or sexual health facility to: identify or track consumers seeking healthcare services; collect a consumer's data or sell it without consent; or send consumers health data or healthcare service-related notifications, messages, or advertisements.
- To enter into contracts with Processors that:
- Provide processing instructions.
- Describe the nature and purpose of processing, the types of Personal Data processed and the duration of processing.
- Describe the rights and obligations of both parties.
- Require the Processor to:
- ensure the duty of confidentiality;
- return or destroy all Personal Data when the services end, at the Controller's direction, unless the law requires retention;
- make available all information necessary to demonstrate compliance with its data protection obligations, on the Controller's reasonable request;
- provide the Controller with an opportunity to object before engaging a subcontractor under a written contract that requires it to meet the Processor's data protection obligations; and
- allow and cooperate with reasonable assessments of the Processor's policies and technical and organizational measures supporting its data protection obligations.
- To conduct a Data Protection Assessment (DPA) before conducting processing activities that present a heightened risk of consumer harm , such as for:
- Targeted advertising;
- Selling Personal Data;
- Profiling that presents a reasonably foreseeable risk of: unfair or deceptive treatment of or unlawful disparate impact on consumers; financial, physical, or reputational injury to consumers; a physical or other intrusion on consumers' solitude, seclusion, private affairs, or private concerns, if it would offend a reasonable person; or another substantial consumer injury; and
- Processing sensitive data.
Processors. The CTDPA's Processor duties include obligations:
- To adhere to the Controller's instructions.
- To help the Controller meet its obligations, considering the nature of the processing and available information, including the Controller's obligations to:
- respond to consumer rights requests;
- comply with data security and breach notification requirements; and
- conduct data protection assessments.
- To ensure each person processing Personal Data is under a duty of confidentiality.
- To only engage subcontractors after:
- giving the Controller a chance to object; and
- executing a written contract requiring the subcontractor to meet the same Personal Data obligations as the Processor.
- To implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, considering the processing context and the Processor's role.
- To execute written processing agreements with specific terms.
Businesses must respond without undue delay and within 45 days to verified consumer requests regarding the processing of PI and SPI, including consumers’:
- Right to confirm whether or the Controller is processing their Personal Data;
- Right to access;
- Right to correct inaccuracies;
- Right to delete;
- Right to obtain Personal Data in a format that is generally portable, readily usable, and transmittable; and
- Right to opt out of processing of Personal Data for the purposes of (1) targeted advertising; (2) the sale of Personal Data; or (3) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the Data Subject.
Additionally, a Controller shall establish a process for the consumer to appeal to the Controller’s refusal to take action on a request. The appeal process must be made conspicuously available and similar to the process for submitting requests to initiate action. The Controller is required to take action within sixty (60) days of receipt of an appeal, inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions, as well as provide a mechanism for consumers to contact the Attorney General if the appeal is denied.
- Biometric data: Data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique biological patterns or characteristics that are used to identify a specific individual. "Biometric data" does not include (A) a digital or physical photograph, (B) an audio or video recording, or (C) any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.
- Consumer: A resident of Connecticut acting in an individual or household context. "Consumer" does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the Controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit or government agency.
- Consumer health data: Any Personal Data that a Controller uses to identify a consumer's physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.
- Consumer health data Controller: Any Controller that, alone or jointly with others, determines the purpose and means of processing consumer health data.
- Controller: A person that, alone or jointly with others, determines the purposes and means for processing Personal Data.
- Gender-affirming health data: Any Personal Data concerning an effort made by a consumer to seek, or a consumer's receipt of, gender-affirming health care services.
- Personal Data: Information linked to or reasonably linkable to an identified or identifiable individual. Personal Data excludes: de-identified data and publicly available data (defined as information that is lawfully made available from federal, state, or municipal government records, or widely distributed media; and information that a Controller has a reasonable basis to believe the consumer has lawfully made available to the general public).
- Profiling: Any form of automated processing performed on Personal Data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- Reproductive or sexual health care: Any health care-related services or products rendered or provided concerning a consumer's reproductive system or sexual well-being, including, but not limited to, any such service or product rendered or provided concerning (A) an individual health condition, status, disease, diagnosis, diagnostic test or treatment, (B) a social, psychological, behavioral or medical intervention, (C) a surgery or procedure, including, but not limited to, an abortion, (D) a use or purchase of a medication, including, but not limited to, a medication used or purchased for the purposes of an abortion, (E) a bodily function, vital sign or symptom, (F) a measurement of a bodily function, vital sign or symptom, or (G) an abortion, including, but not limited to, medical or nonmedical services, products, diagnostics, counseling or follow-up services for an abortion.
- Reproductive or sexual health data: Any Personal Data concerning an effort made by a consumer to seek, or a consumer's receipt of, reproductive or sexual health care.
- Sale of Personal Data: The exchange of Personal Data for monetary or other valuable consideration by the Controller to a third party. “Sale” does not include (A) the disclosure of Personal Data to a Processor that processes the Personal Data on behalf of the Controller, (B) the disclosure of Personal Data to a third party for purposes of providing a product or service requested by the consumer, (C) the disclosure or transfer of Personal Data to an affiliate of the Controller, (D) the disclosure of Personal Data where the consumer directs the Controller to disclose the Personal Data or intentionally uses the Controller to interact with a third party, (E) the disclosure of Personal Data that the consumer (i) intentionally made available to the general public via a channel of mass media, and (ii) did not restrict to a specific audience, or (F) the disclosure or transfer of Personal Data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the Controller's assets.
- Sensitive Personal Data: Personal Data revealing: racial or ethnic origin, religious beliefs, mental/physical health condition or diagnosis, sex life/sexual orientation, or citizenship/citizenship status, as well as consumer health data (meaning Personal Data used to identify a consumer's physical or mental health condition or diagnosis, including gender-affirming health data and reproductive or sexual health data), genetic or biometric data processed to uniquely identify an individual; Personal Data collected from a known child, data concerning an individual’s status as a crime victim, or precise geolocation data.
Violations of the CTDPA constitute an unfair trade practice and may be enforced solely by the Connecticut Attorney General. Initial violations may result in an injunction, an order directing restitution, or both, along with reasonable attorneys' fees. Willful violations may result in a civil penalty of up to $5,000 per violation.
- An Act Concerning Online Privacy, Data And Safety Protections
- An Act Concerning Data Privacy Breaches
July 1, 2023
Insurance Data Security Statute
Covered Entities: Any entity licensed, authorized to operate or registered, or required to be licensed, authorized to operate or registered, pursuant to the insurance laws of Connecticut, but not including a purchasing group or risk retention group chartered and licensed in another state, a person acting as an assuming insurer and domiciled in another state or jurisdiction or a commissioner of the Connecticut Superior Court acting as a title agent.
Security Standard: Each licensee shall develop, implement and maintain a comprehensive written information security program that is based on the licensee's risk assessment and contains the administrative, technical and physical safeguards for the protection of nonpublic information and such licensee's information systems. Each information security program shall be commensurate with the size and complexity of the licensee, the nature and scope of the licensee's activities, including, but not limited to, such licensee's use of third-party service providers, and the sensitivity of the nonpublic information used by such licensee or in such licensee's possession, custody or control.
Consumer Notification: A licensee shall comply with all applicable provisions of section 36a-701b, and provide to the Insurance Commissioner a copy of the notice that such licensee sends to consumers pursuant to said section, if any, if such licensee is required to notify the commissioner.
Regulatory Notification: A licensee shall notify the Commissioner of Insurance as promptly as possible, but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.
Notification Timeline: As promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.
Citations: Conn. Gen. Stat. Ann. § 38a-38
- Consumer: An individual, including, but not limited to, an applicant, beneficiary, certificate holder, claimant, insured or policyholder, who is a resident of this state and whose nonpublic information is in a licensee's possession, custody or control.
- Cybersecurity Event: An event resulting in any unauthorized access to, or disruption or misuse of, an information system or the nonpublic information stored thereon, except if: the event involves the unauthorized acquisition of encrypted nonpublic information if the encryption process for such information or encryption key to such information is not acquired, released or used without authorization; or the event involves access of nonpublic information by an unauthorized person and the licensee determines that such information has not been used or released and has been returned or destroyed.
- Licensee: Any entity licensed, authorized to operate or registered, or required to be licensed, authorized to operate or registered, pursuant to the insurance laws of this state, including, but not limited to, a fraternal benefit society, an interlocal risk management agency formed pursuant to chapter 113a or an employers' mutual association authorized under part C of chapter 568, but not including a purchasing group or risk retention group chartered and licensed in another state, a person acting as an assuming insurer and domiciled in another state or jurisdiction or a commissioner of the Superior Court acting as a title agent, as defined in section 38a-402.
- Nonpublic Information: Electronic data and information, other than publicly available information and a consumer's age or gender, that:
- Concerns the business of a licensee and that, if accessed, disclosed, tampered with or used without authorization from the licensee, would have a material adverse impact on the business, operations or security of such licensee;
- Concerns a consumer and that, because such data or information contains a name, number, personal mark or other identifier, can be used to identify such consumer in combination with:
- Social Security number;
- Driver’s license number or nondriver identification card number;
- an account, credit or debit card number;
- Security code, access code, or password that would permit access to a consumer’s financial account; or
- Biometric records; or
- Is in a form or medium created by, or derived from, a health care provider or consumer and concerns:
- The past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of the consumer’s family;
- The provision of health care to any consumer; or
- The payment for the provision of health care to any consumer.
Each licensee shall notify the Insurance Commissioner that a cybersecurity event has occurred, as promptly as possible but in no event later than 3 business days after the date on which such licensee first determines that a cybersecurity event has occurred, if:
- Connecticut is the state of domicile of the licensee, in the case of an insurer, or the home state of the licensee, in the case of a producer, as those terms are defined in CT Code § 38a-702a, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing Connecticut or any material part of licensee’s operations.
- The licensee reasonably believes that the nonpublic information involves 250 or more consumers residing Connecticut and the cybersecurity event is either:
- A cybersecurity event impacting the licensee that the licensee is required to notify any government body, self-regulatory agency, or any other supervisory body about pursuant to any state or federal law; or
- A cybersecurity event that has a reasonable likelihood of materially harming either a consumer residing in Connecticut or a material part of licensee’s operations.
When notifying the Commissioner of Insurance of a cybersecurity event, a licensee shall provide as much of the following information as possible:
- The date of the cybersecurity event.
- A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers.
- How the cybersecurity event was discovered.
- Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
- The identity of the source of the cybersecurity event.
- Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided.
- A description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer.
- The period during which the information system was compromised by the cybersecurity event.
- The number of total consumers residing in this state that, within such licensee's knowledge at the time that such licensee discloses such number to the commissioner, are affected by the cybersecurity event.
- The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed.
- A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.
- The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.
Third-Party Notice Requirements:
If a licensee discovers that a cybersecurity incident in an information system maintained by a third-party service provider, the licensee shall treat the event in the same manner for purposes of notification to the Commissioner of Insurance.
The Commissioner may take any action that is necessary or appropriate to enforce the provisions of the code and, in addition to or in lieu of suspending, revoking or refusing to reissue or renew any license, certificate of registration or authorization to operate the commissioner has issued, or may issue, to the licensee, impose on such licensee a civil penalty of not more than fifty thousand dollars for each violation of the provisions of this section. The commissioner may bring a civil action to recover the amount of any civil penalty that the commissioner imposes on a licensee.
Information Security Standard
Covered Entities: Any entity that owns, licenses, or maintains computerized data that includes PI of Connecticut residents.
First Party Security Standard: Any entity who collects Social Security numbers in the course of business shall create a privacy protection policy which shall be published or publicly displayed. For purposes of this subsection, "publicly displayed" includes, but is not limited to, posting on an Internet web page. Such policy shall (1) protect the confidentiality of Social Security numbers, (2) prohibit unlawful disclosure of Social Security numbers, and (3) limit access to Social Security numbers.
Third Party Security Standard: N/A
Disposal/Destruction Standard: Any entity in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.
Data Format: Electronic and physical.
Citations: Conn. Gen. Stat. § 42-471
- Personal Information (PI): An individual’s first name / first initial and last name in combination with one (1) or more of the following data elements:
- Social Security number;
- Driver’s license number or state identification card number;
- Financial account or payment card number plus any required security code, access code, or password that would permit access to an individual’s financial account;
- Taxpayer identification number;
- Identity protection personal identification number issued by the IRS;
- Passport number, military identification number or other identification number issued by the government that is commonly used to verify identity;
- Medical information regarding individual medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
- Health insurance policy number or subscriber identification number, or any unique identifier used by a health insurer to identify the individual; or
- Biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina or iris image.
A username or email address in combination with a password or security question and answer that would permit access to an online account.
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Methods of Compliance:
The statute does not define methods of compliance.
- Health Care: N/A
- Financial: N/A
- Other: These requirements do not apply to any agency or political subdivision of the state.
These requirements are enforceable only by such other state agency pursuant to such other state agency's existing statutory and regulatory authority.
Violating entities shall be subject to a civil penalty of $500 for each violation, provided such civil penalty shall not exceed $500,000 dollars for any single event. It shall not be a violation of this section if such violation was unintentional.