General Assembly |
||
January Session, 2007 |
*_____SB01089JUD___043007____* |
AN ACT ENCOURAGING THE SAFEKEEPING OF CONSUMER INFORMATION.
Be it enacted by the Senate and House of Representatives in General Assembly convened:
Section 1. Section 36a-701b of the general statutes is repealed and the following is substituted in lieu thereof (Effective October 1, 2007):
(a) For purposes of this section, "breach of security" means unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable; "personal information" means an individual's first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number; (2) driver's license number or state identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
(b) Any person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall disclose any breach of security following the discovery of the breach to any resident of this state whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person through such breach of security. Such disclosure shall be made without unreasonable delay, subject to the provisions of subsection (d) of this section and the completion of an investigation by such person to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the data system. Such notification shall not be required if, after an appropriate investigation and consultation with relevant federal, state and local agencies responsible for law enforcement, the person reasonably determines that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed.
(c) Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following its discovery, if the personal information was, or is reasonably believed to have been accessed by an unauthorized person.
(d) Any notification required by this section shall be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation and such law enforcement agency has made a request that the notification be delayed. Any such delayed notification shall be made after such law enforcement agency determines that notification will not compromise the criminal investigation and so notifies the person of such determination.
(e) Any notice required by the provisions of this section may be provided by one of the following methods: (1) Written notice; (2) telephone notice; (3) electronic notice, provided such notice is consistent with the provisions regarding electronic records and signatures set forth in 15 USC 7001; (4) substitute notice, provided such person demonstrates that the cost of providing notice in accordance with subdivision (1), (2) or (3) of this subsection would exceed two hundred fifty thousand dollars, that the affected class of subject persons to be notified exceeds five hundred thousand persons or the person does not have sufficient contact information. Substitute notice shall consist of the following: (A) Electronic mail notice when the person, business or agency has an electronic mail address for the affected persons; (B) conspicuous posting of the notice on the web site of the person, business or agency if the person maintains one; and (C) notification to major state-wide media, including newspapers, radio and television.
(f) Any person that maintains such person's own security breach procedures as part of an information security policy for the treatment of personal information and otherwise complies with the timing requirements of this section, shall be deemed to be in compliance with the security breach notification requirements of this section, provided such person notifies subject persons in accordance with such person's policies in the event of a breach of security. Any person that maintains such a security breach procedure pursuant to the rules, regulations, procedures or guidelines established by the primary or functional regulator, as defined in 15 USC 6809(2), shall be deemed to be in compliance with the security breach notification requirements of this section, provided such person notifies subject persons in accordance with the policies or the rules, regulations, procedures or guidelines established by the primary or functional regulator in the event of a breach of security of the system.
(g) Failure to comply with the requirements of this section shall constitute an unfair trade practice for purposes of section 42-110b and shall be enforced by the Attorney General.
(h) Notwithstanding any provision of the general statutes, and in addition to any other liability of a person to a bank or an out-of-state bank, any person required to provide notice under subsection (b) or (c) of this section shall be liable to a bank or an out-of-state bank that has customers whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person through a breach of security, for the costs of any reasonable action undertaken by the bank or out-of-state bank on behalf of its customers as a direct result of the breach of security in order to protect the sensitive information or financial interests of such customers or to continue to provide financial services to such customers, including any costs incurred in connection with: (1) The cancellation or reissuance of any credit card, debit card or other account access device issued by any such bank or out-of-state bank; (2) the closure of any deposit, transaction or other account and any other actions to stop payments or block transactions with respect to any such account; (3) the opening or reopening of any deposit, transaction or other account for any customer of the bank or out-of-state bank; (4) any refund or credit made to any customer of the bank or out-of-state bank as a result of unauthorized transactions; and (5) any assistance provided to customers to help mitigate loss or inconvenience or to prevent further loss or inconvenience.
This act shall take effect as follows and shall amend the following sections: | ||
Section 1 |
October 1, 2007 |
36a-701b |
BA |
Joint Favorable Subst. |
|
GL |
Joint Favorable |
|
JUD |
Joint Favorable |