CHAPTER 669

REGULATED ACTIVITIES

Table of Contents

Sec. 36a-701b. *(See end of section for amended version of subparagraph (B) of subdivision (2) of subsection (b) and effective date.) Breach of security re computerized data containing personal information. Notice of breach. Provision of identity theft prevention services and identity theft mitigation services. Delay for criminal investigation. Means of notice. Unfair trade practice.


PART V

CONSUMER CREDIT REPORTS

Sec. 36a-701b. *(See end of section for amended version of subparagraph (B) of subdivision (2) of subsection (b) and effective date.) Breach of security re computerized data containing personal information. Notice of breach. Provision of identity theft prevention services and identity theft mitigation services. Delay for criminal investigation. Means of notice. Unfair trade practice. (a) For purposes of this section, (1) “breach of security” means unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable; and (2) “personal information” means an individual's first name or first initial and last name in combination with any one, or more, of the following data: (A) Social Security number; (B) driver's license number or state identification card number; (C) credit or debit card number; or (D) financial account number in combination with any required security code, access code or password that would permit access to such financial account. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.

(b) (1) Any person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall provide notice of any breach of security following the discovery of the breach to any resident of this state whose personal information was breached or is reasonably believed to have been breached. Such notice shall be made without unreasonable delay but not later than ninety days after the discovery of such breach, unless a shorter time is required under federal law, subject to the provisions of subsection (d) of this section and the completion of an investigation by such person to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the data system. Such notification shall not be required if, after an appropriate investigation and consultation with relevant federal, state and local agencies responsible for law enforcement, the person reasonably determines that the breach will not likely result in harm to the individuals whose personal information has been acquired and accessed.

(2) If notice of a breach of security is required by subdivision (1) of this subsection:

(A) The person who conducts business in this state, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data that includes personal information, shall, not later than the time when notice is provided to the resident, also provide notice of the breach of security to the Attorney General; and

*(B) The person who conducts business in this state, and who, in the ordinary course of such person's business, owns or licenses computerized data that includes personal information, shall offer to each resident whose personal information under subparagraph (A) of subdivision (4) of subsection (a) of section 38a-999b or subparagraph (A) of subdivision (2) of subsection (a) of this section was breached or is reasonably believed to have been breached, appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such service or services shall be provided at no cost to such resident for a period of not less than twenty-four months. Such person shall provide all information necessary for such resident to enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident's credit file.

(c) Any person that maintains computerized data that includes personal information that the person does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following its discovery, if the personal information of a resident of this state was breached or is reasonably believed to have been breached.

(d) Any notification required by this section shall be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation and such law enforcement agency has made a request that the notification be delayed. Any such delayed notification shall be made after such law enforcement agency determines that notification will not compromise the criminal investigation and so notifies the person of such determination.

(e) Any notice to a resident, owner or licensee required by the provisions of this section may be provided by one of the following methods: (1) Written notice; (2) telephone notice; (3) electronic notice, provided such notice is consistent with the provisions regarding electronic records and signatures set forth in 15 USC 7001; (4) substitute notice, provided such person demonstrates that the cost of providing notice in accordance with subdivision (1), (2) or (3) of this subsection would exceed two hundred fifty thousand dollars, that the affected class of subject persons to be notified exceeds five hundred thousand persons or that the person does not have sufficient contact information. Substitute notice shall consist of the following: (A) Electronic mail notice when the person has an electronic mail address for the affected persons; (B) conspicuous posting of the notice on the web site of the person if the person maintains one; and (C) notification to major state-wide media, including newspapers, radio and television.

(f) Any person that maintains such person's own security breach procedures as part of an information security policy for the treatment of personal information and otherwise complies with the timing requirements of this section, shall be deemed to be in compliance with the security breach notification requirements of this section, provided such person notifies, as applicable, residents of this state, owners and licensees in accordance with such person's policies in the event of a breach of security and in the case of notice to a resident, such person also notifies the Attorney General not later than the time when notice is provided to the resident. Any person that maintains such a security breach procedure pursuant to the rules, regulations, procedures or guidelines established by the primary or functional regulator, as defined in 15 USC 6809(2), shall be deemed to be in compliance with the security breach notification requirements of this section, provided (1) such person notifies, as applicable, such residents of this state, owners, and licensees required to be notified under and in accordance with the policies or the rules, regulations, procedures or guidelines established by the primary or functional regulator in the event of a breach of security, and (2) if notice is given to a resident of this state in accordance with subdivision (1) of this subsection regarding a breach of security, such person also notifies the Attorney General not later than the time when notice is provided to the resident.

(g) Failure to comply with the requirements of this section shall constitute an unfair trade practice for purposes of section 42-110b and shall be enforced by the Attorney General.

(P.A. 05-148, S. 3; 05-288, S. 231, 232; June 12 Sp. Sess. P.A. 12-1, S. 130; P.A. 15-142, S. 6; P.A. 18-90, S. 2.)

*Note: On and after October 1, 2021, subparagraph (B) of subdivision (2) of subsection (b) of this section, as amended by section 231 of public act 19-117 and section 9 of public act 19-196, is to read as follows:

“(B) The person who conducts business in this state, and who, in the ordinary course of such person's business, owns or licenses computerized data that includes personal information, shall offer to each resident whose nonpublic information under subparagraph (B)(i) of subdivision (9) of subsection (b) of section 38a-38 or personal information as defined in subparagraph (A) of subdivision (2) of subsection (a) of this section was breached or is reasonably believed to have been breached, appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such service or services shall be provided at no cost to such resident for a period of not less than twenty-four months. Such person shall provide all information necessary for such resident to enroll in such service or services and shall include information on how such resident can place a credit freeze on such resident's credit file.”

(P.A. 05-148, S. 3; 05-288, S. 231, 232; June 12 Sp. Sess. P.A. 12-1, S. 130; P.A. 15-142, S. 6; P.A. 18-90, S. 2; P.A. 19-117, S. 231; 19-196, S. 9.)

History: P.A. 05-148 effective January 1, 2006; P.A. 05-288 made technical changes in Subsecs. (b) and (f), effective January 1, 2006; June 12 Sp. Sess. P.A. 12-1 amended Subsec. (a) by adding “unauthorized” re acquisition, amended Subsec. (b) by designating existing provisions as Subdiv. (1) and amending same to replace “disclose” with “provide notice of” and “disclosure” with “notice” and by adding Subdiv. (2) re notice of breach of security to Attorney General, amended Subsec. (c) by adding “of a resident of this state” re personal information, amended Subsec. (e) by adding “to a resident, owner or licensee” re notice, replacing “person, business or agency” with “person” and making a technical change, and amended Subsec. (f) by replacing references to subject persons with references to residents of this state, owners and licensees, as applicable, adding provisions re notice to Attorney General and deleting reference to system; P.A. 15-142 made technical changes in Subsec. (a), amended Subsec. (b) to replace “was, or is reasonably believed to have been, accessed by an unauthorized person through such breach of security” with “was breached or is reasonably believed to have been breached” and add provision re notice of breach of security not later than 90 days after discovery unless shorter time is required under federal law in Subdiv. (1), to designate existing provision re notice of breach to Attorney General as Subpara. (A) in Subdiv. (2) and amend same to add Subpara. (B) re provision of identity theft prevention services and identity theft mitigation services, and amended Subsec. (c) to replace “was, or is reasonably believed to have been accessed by an unauthorized person” with “was breached or is reasonably believed to have been breached”; P.A. 18-90 amended Subsec. (a)(1) by deleting “account number,” in Subpara. (C), adding Subpara. (D) re financial account number, and making a technical change, and amended Subsec. (b)(2)(B) by replacing “twelve months” with “twenty-four months” re period for which service is to be provided at no cost to resident; P.A. 19-117 amended Subsec. (b)(2)(B) by replacing provision re personal information under Sec. 38a-999b(a)(4)(A) with provision re nonpublic information under Sec. 38a-38(b)(9)(B)(i) and made a conforming change, effective October 1, 2020; P.A. 19-196 changed effective date of P.A. 19-117 from October 1, 2020, to October 1, 2021, effective July 8, 2019.