Day Pitney remains committed to providing quality legal counsel, while protecting our clients and employees, and transforming our communities into more just, equal and equitable spaces. For more information, please visit our COVID-19 Resource Center | Racial Justice and Equity Task Force.
On June 16, Connecticut Gov. Ned Lamont signed House Bill No. 5310, titled "An Act Concerning Data Privacy Breaches" (the act). The act, which goes into effect October 1, amends Conn. Gen. Stat. § 36a-701b, Connecticut's existing breach notification law, and significantly expands the definition of "personal information," in addition to other enhancements described below. Helpfully, the new act deems persons who provide notice to affected Connecticut residents under the Health Information Technology for Economic and Clinical Health (HITECH) Act to be in compliance with the act.
Previously, Connecticut law defined "personal information" as an individual's first name, or first initial and last name, in combination with any one or more of the following data categories:
The act expands Connecticut's definition of "personal information" to align more closely with laws in other states by including the following data categories:
The act shortens the maximum allowable amount of time for breach notification from not later than 90 days to not later than 60 days after the discovery of a breach.
The act clarifies that if additional Connecticut residents impacted by a breach are identified after the 60-day period, they must be notified as "expediently as possible."
One of the most significant changes under the act is the elimination of what some interpreted as an option to defer notification, pending completion of an investigation to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the affected data system.
The act includes additional requirements in the event of a login credential breach. In such event, notice must be provided to the affected Connecticut resident that enables them to:
Under the act, any person who provides notice to affected Connecticut residents in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HITECH Act does not need to send separate notices to comply with the requirements of the act, so long as such person is in compliance with the HITECH Act's privacy and security standards. If a HITECH Act notice is required, however, then notice must also be provided to the Connecticut Attorney General no later than the time the HITECH Act notice is provided to the affected Connecticut residents.
Under the act, documents, materials and information provided to the Connecticut Attorney General in response to an investigative demand issued in an investigation of a security breach are exempt from public disclosure under subsection (a) of Section 1-210 of Connecticut's Freedom of Information Act, Conn. Gen. Stat. § 1-210 (2013), provided that the Connecticut Attorney General may make such documents, materials and information available to third parties in furtherance of its investigation.
Persons who own, license or maintain the personal information of Connecticut residents should review their existing data breach response protocols, or seek counsel, to ensure compliance with Connecticut's amended breach notification law when it goes into effect October 1.
Day Pitney hosted its annual invitation-only Palm Beach Family Office Forum at the PGA National Resort and Spa.
Day Pitney Alert
The arrival of Cybersecurity and Data Protection Partner William J. Roberts was featured in Hartford Business Journal.
Day Pitney Partners William J. Roberts and Christopher F. Droney were both selected as recipients of the Distinguished Leaders Award in the 2022 Connecticut Legal Awards, sponsored by the Connecticut Law Tribune.
The arrival of William J. Roberts was featured in The Valley Press.
Cybersecurity and Data Protection practice chair and Counsel Steven A. Cash was quoted in Above The Law's whitepaper, "The Mega Metaverse Round-Up For Lawyers."
The arrival of William J. Roberts was featured in Cybersecurity Law Report. Roberts is based in Hartford, CT, where he focuses on helping clients develop and implement data security systems and processes.
Eric Fader authored a chapter in the 2017 edition of Westlaw's "Data Security and Privacy Law" treatise, published by Thomson Reuters.
This website may use cookies, pixel tags and other passive tracking technologies, including Google Analytics, to improve functionality and performance. For more information, see our Privacy Policy. By using our website, you are consenting to our use of these tracking technologies. You can alter the configuration of your browser to refuse to accept cookies, but if you do so, it is possible that some areas of web sites that use cookies will not function properly when you view them. To learn more about how to delete and manage cookies, refer to the support instructions for each browser (e.g., see AllAboutCookies.org). You may locate Google Analytics' currently available opt-outs for the web here.
This website may use cookies, pixel tags and other passive tracking technologies, including Google Analytics, to improve functionality and performance. For more information, see our Privacy Policy. By using our website, you are consenting to our use of these tracking technologies. You can alter the configuration of your browser to refuse to accept cookies, but if you do so, it is possible that some areas of web sites that use cookies will not function properly when you view them. To learn more about how to delete and manage cookies, refer to the support instructions for each browser (e.g., see AllAboutCookies.org). You may locate Google Analytics' currently available opt-outs for the web here.