CONNECTICUT’S NEW LEGAL REQUIREMENTS FOR BUSINESSES VICTIMIZED BY SECURITY BREACHES

Effective October 1, 2015, Connecticut’s security breach notification statute was amended to increase the legal obligations of any business that sustains a security breach. The statute defines a breach of security as any “unauthorized access to or unauthorized acquisition of” electronic files or other data containing personal information if the information is not encrypted or otherwise secured so that it is unreadable or unusable. Personal information includes a person’s first name or first initial and last name combined with his or her social security number, driver’s license number or information permitting access to the person’s financial accounts.

The amended law requires businesses to provide notice of any security breach to each Connecticut resident whose personal information was breached or is reasonably believed to have been breached within ninety (90) days after discovery of the breach. Businesses must provide each resident, at no cost, with appropriate identity theft prevention services and, if the resident’s personal information was stolen, identity theft mitigation services for a period of at least twelve (12) months. They must also provide each resident with the information necessary to enroll in the identity theft prevention and (if applicable) mitigation services as well as information on how the resident can place a credit freeze on his or her credit file. A violation of the new and existing requirements of General Statues Section 36a-701b can be enforced by Connecticut’s Attorney General. Penalties for violation may include restitution, civil penalties and punitive damages.

Currently, there is no federal security breach notification statute. However, a recent federal court ruling upheld the authority of the Federal Trade Commission (FTC) to regulate businesses’ data security practices. In FTC v. Wyndham Worldwide Corp., the Third Circuit Court of Appeals determined that the FTC has the authority under Section 5 of the Federal Trade Commission Act (“FTC Act”) to bring unfair and deceptive trade practices claims against companies whose data security practices unreasonably and unnecessarily expose consumers’ personal data to security breach risks. The FTC can seek injunctive orders and civil penalties against businesses for violating the FTC Act. As a result, a business that sustains a security breach may be subject to an enforcement action by the FTC.

If a Connecticut business discovers that any of the personal information it maintains has been or may have been affected by a security breach, it should immediately contact an attorney experienced in data security issues for advice on complying with Connecticut’s security breach notification statute, the laws of any other states whose residents’ personal information may have been compromised, and any applicable federal statutes. The best way for a business to avoid the significant legal obligations and consequences of a security breach is to enact reasonable data security policies and safeguards to minimize its risks. A business should also consider obtaining cyber insurance or other appropriate insurance to cover its potential liabilities. For more information, please contact Mark W. Klein (mklein@brodywilk.com).

© 2022 • Brody Wilkinson PC
This website may constitute Attorney Advertising in some jurisdictions | Prior results do not guarantee a similar outcome | Terms & Conditions | Privacy Protection Policy
Photographs by Diana DeLucia