You asked (1) for a summary 2005 Connecticut legislation addressing security breaches of information held in electronic databases, (2) if other states, in addition to Connecticut, adopted security legislation responding to the Choicepoint security breach, (3) for the status of the attorney general’s investigation, and (4) for a summary of Connecticut’s law on disclosure of Social Security numbers.

SUMMARY

Choicepoint, a business that collects and disseminates information about individuals, announced in early 2005 that it erroneously released personal identifying information. Notification about the breach was compelled by a California law.

Connecticut adopted a similar law in 2005. It requires businesses to inform consumers if there has been a security breach affecting them. The notification must generally be made without unreasonable delay. If requested by a law enforcement agency conducting an investigation, the business must delay sending the notice. The law establishes notification procedures. It makes a violation of the security breach requirements an unfair or deceptive trade practice.

The attorney general’s investigation is ongoing.

Over half of the states considered adopting security breach legislation in 2005 and Connecticut was one of 20 that did. The acts are similar to California’s.

Connecticut prohibits individuals and businesses from disclosing Social Security numbers.

CHOICEPOINT SECURITY BREACH

In mid-February 2005, the consumer data company Choicepoint suffered a security breach. The company said that it affected more than 145,000 people in all 50 states. Its announcement was made as Choicepoint complied with a California law requiring businesses to notify consumers about security breaches affecting them. It recently stated that it warned an additional 17,000 people because the breach may have also affected them. Choicepoint is one of the nation's largest collectors of consumer information. The breach was caused by individuals posing as legitimate businessmen. It was not caused by hackers gaining access into Choicepoint’s computers.

AN ACT REQUIRING CONSUMER CREDIT BUREAUS TO OFFER SECURITY FREEZES (PA 05-148, PA 05-288)

The act requires businesses to inform the affected consumers if there has been a security breach involving their computerized personal information.

It requires anyone doing business in Connecticut and who, in the ordinary course of business, owns, maintains, or licenses computerized data that includes personal information, to disclose a “breach of security”. The disclosure must generally be made without unreasonable delay and made to state residents whose personal information has been, or is reasonably believed to have been, accessed by an unauthorized person.

If the business does not own the personal data, it must notify the person who owns or licenses it. The act defines “breach of security” as the unauthorized access to, or acquisition of, electronic files, media, databases, or computerized data that contain personal information when access to the information has not been secured by encryption or by any other method or technology that makes it unreadable or unusable.

For the act’s purposes, “personal information” means an individual’s first name or initial and last name in addition to one or more of the following: (1) Social Security number; (2) driver’s license number or state identification card number; or (3) an account number, credit or debit card number, in combination with its security code, access code, or password that permits access to the individual’s financial account. The act excludes publicly available information that is lawfully made available to the public from federal, state, or local government records or widely distributed media.

Making a Disclosure

Businesses must disclose security breaches after the completion of an investigation to (1) determine the scope of the incident, (2) identify the affected individuals, or (3) restore the reasonable integrity of the data system. PA 05-288 requires notification without unreasonable delay subject to the act’s provision requiring businesses to delay notification if requested by a law enforcement agency conducting a criminal investigation. The act does not require disclosure if, after appropriate investigation and consultation with federal, state, and local law enforcement agencies, the business reasonably determines that the breach will not likely result in harm to the affected individuals.

Criminal Investigation

The act requires businesses to delay public notification for a reasonable time if a law enforcement agency asks, after determining that notification will impede a criminal investigation. In this case, notification must be made after the law enforcement agency determines and notifies the business that notification will not compromise the investigation.

Notifying the Public

The act requires the notice to be given: (1) in writing; (2) by telephone; (3) electronically, if it is consistent with the federal “e-sign” law; or (4) using a substitute method, if the business can demonstrate that the cost of using the first three methods is more than $ 250,000, that the class of affected people is larger than 500,000, or the business does not have sufficient contact information. The act requires the substitute notice to be: (1) by e-mail when the business has the e-mail address of the affected person; (2) through conspicuous posting on its website, if it has one; and (3) sent to major statewide media, including newspapers, radio, and television.

Businesses with Security Breach Procedures

The act deems that a business is complying with its notification requirements, regardless of the act’s provisions on public notification, if it: (1) maintains its own security breach procedures as part of an information security policy to treat personal information, (2) otherwise complies with the act’s timeliness requirements, and (3) notifies affected people of a security breach in accordance with its own procedures. Further, the act deems a business to comply with its notification requirements if it maintains a security breach procedure in compliance with the rules, regulations, procedures, or guidelines established by the primary or secondary federal “functional regulator” as defined by federal law if it notifies affected people of a security breach in accordance with them. PA 05-288 corrects the reference in the act to federal law about functional regulators.

The federal Gramm-Leach-Bliley Act (P. L. 106-102, 15 USC § 6809(2)) defines “federal functional regulator” as (1) the Board of Governors of the Federal Reserve System, (2) the Office of the Comptroller of the Currency, (3) the Board of Directors of the Federal Deposit Insurance Corporation, (4) the Director of the Office of Thrift Supervision, (5) the National Credit Union Administration Board, and (6) the Securities and Exchange Commission.

Connecticut Unfair Trade Practices Act (CUTPA)

The act makes a violation of its security breach provisions a violation of CUTPA (CGS § 42-110a et seq. ). CUTPA allows the DCP commissioner to investigate complaints, issue cease and desist orders, order restitution in cases involving less than $ 5,000, enter into consent agreements, ask the attorney general to seek injunctive relief, and accept voluntary statements of compliance. The act also allows individuals to sue. Courts may issue restraining orders; award actual and punitive damages, costs, and reasonable attorneys fees; and impose civil penalties of up to $ 5,000 for willful violations and $ 25,000 for violation of a restraining order.

STATUS OF THE ATTORNEY GENERAL’S INVESTIGATION

The office of the attorney general is conducting an ongoing investigation of the Choicepoint security breach. The company, once it learned that the attorney general opened an investigation, announced that it would give Connecticut consumers notice if the security breach affected them. The attorney general’s office knows that Choicepoint sent notices and has no reason to believe that the company has not fulfilled its promise.

LEGISLATIVE ACTIVITY IN OTHER STATES

Thirty-nine states considered adopting security breach legislation in 2005 in response to the Choicepoint security breach. Connecticut was one of at least 20 states that did. All the adopted measures, including Connecticut’s, generally take the same approach as the law in California. There are some differences. For example, Arkansas applies the requirement to businesses and also to state agencies and additionally requires notification if the security of medical records is breached (2005 Ark. Acts 1526). Indiana applies the requirement to state or local agencies but not to businesses (2005 Acts 503). Georgia only applies the requirement to “information brokers,” which it defines as a person or entity that engages in the business of collecting, assembling, evaluating, compiling, reporting or communicating information about individuals for the primary purpose of giving it to third parties (2005 Ga. Laws 83).

CONNECTICUT LAW ON DISCLOSURE OF SOCIAL SECURITY NUMBERS

With some exceptions, the law prohibits individuals and businesses form publicly disclosing Social Security numbers. The prohibition, passed in 2003, does not prevent the numbers from being (1) collected, used, or released as required by state or federal law or (2) used for internal verification or administrative purposes (CGS § 42-470).

Specifically, the law prohibits any person, firm, corporation, or other entity, other than the state or its political subdivisions, from:

1. intentionally communicating or otherwise making available to the general public an individual’s Social Security number;

2. printing anyone’s Social Security number on any card that the person must use to access the person or entity’s products or services;

3. requiring anyone to transmit his Social Security number over the Internet, unless the connection is secure or the number is encrypted; or

4. requiring anyone to use his Social Security number to access an Internet web site, unless a password or unique personal identification number or other authentication is also required to access it.

The prohibition does not apply to certain individual and group health insurance policies delivered, issued for delivery, renewed, or continued on and after July 1, 2005. These policies include (1) basic hospital, (2) basic medical-surgical, (3) major medical expenses, (4) accident only, (5) limited benefit, and (6) hospital and medical expenses paid by HMOs.

The penalty for willful violations is a fine of up to $ 100 for the first offense, up to $ 500 for a second offense, and up to $ 1,000 or six months in prison for each subsequent offense.

DD: dw