Breaches of Personal Information Must Now Be Reported to the Attorney General

Connecticut law[1] requires any person conducting business in the state that owns, licenses or maintains computerized data that includes “personal information”[2] to notify individuals affected by a breach of security of personal information. A “breach of security” is defined as any unauthorized access or acquisition of electronic files, media, databases or computerized data containing personal information that has not been secured by encryption or other security measures. In particular, Connecticut requires such individuals or businesses to notify Connecticut residents whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person through a breach of security without unreasonable delay, unless the individual or business reasonably determines that the breach will not likely result in harm to the individuals whose personal information was acquired or accessed. Failure to provide notice is enforceable by the Attorney General and may constitute a violation of the Connecticut Unfair Trade Practices Act.

Beginning October 1, 2012, Public Act 12-1[3] requires that a breach of security, as discussed above, must also be reported to the Connecticut Attorney General. The Attorney General has the authority to investigate and request documentation about such breaches. The Attorney General may also take enforcement action against any party that fails to abide by the notification requirements or respond properly to a breach of security.

Businesses in the state that maintain personal information on their systems should create and implement policies and procedures specifically outlining a swift and comprehensive response to security breaches. Even more, these businesses should ensure that all of their employees whose duties relate to the storage or maintenance of such sensitive information receive regular training on breach recognition and response. If, at any time, a security breach involving personal information is detected, the incident should be thoroughly investigated, documented and reported to the proper parties as required by law. Businesses should also be aware that if they maintain personal information about residents of other states, the personal information laws of those states may also apply.

[1] Connecticut General Statute 36a-701b

[2] For purposes of Connecticut General Statute 36a-701b, "personal information" means an individual's first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number; (2) driver's license number or state identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

[3] Public Act 12-1 is from the Connecticut General Assembly’s June 12, 2012 Special Session. A copy of the relevant section of the Public Act is available at http://shipmangoodwin.com/files/16230-PA%2012-1-%20Section%20130%20-Personal%20Information-.pdf.