Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • New laws effective as October 1, 2015
  • Comprehensive provisions for notifications
  • Mandatory provision of identity theft prevention services 
  • 90 day deadline for notifications
  • Limited methods of notification delivery
  • 5 day deadline for entities regulated by Insurance Commissioner
  • State attorney general may require notification with specific information
  • Violations constitute unfair trade practice

Who Me?


Connecticut breach and notification laws may apply if you:

  • Conduct business in CT and own, license, or maintain computerized data that includes PII;
  • Maintain computerized data that includes PII that you do not own.

 There are exemptions.

Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply.

What is PII?


PII relevant to a breach in Connecticut includes an individual’s name with one or more of the following:

  • Social security number;
  • Driver license number or identification card number;
  • Financial account numbers or credit/debit card numbers with security or access codes or passwords.



General Statutes of Connecticut include, but are not limited to:

  • 36a-701b – Breach of security re computerized data containing personal information;
  • Bulletin IC-25 of the State of Connecticut Insurance Department;
  • (Senate Bill 949) Public Act No. 15-142:  An Act Improving Data Security and agency Effectiveness, Sections 5 & 6 (effective as of October 1, 2015).


A few of these laws include, but are not limited to:

  • (Senate Bill 949) Public Act No. 15-142:  An Act Improving Data Security and agency Effectiveness, Sections 1, 2, 5, & 7 (effective dates include July 1, 2015 and October 1, 2015);
  • Chapter 743dd: Protection of Social Security Numbers and Personal Information / Section 42-470 to 42-472d.



Failure to comply with the requirements constitutes an unfair trade practice and is enforced by the state attorney general. Connecticut’s statute defers to the Federal Trade Commission and the federal courts.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached;
  • If the data electronic files, media, databases or computerized data;
  • If the data included any kind of key or password;
  • If it was acquired by an unauthorized person;
  • If there is a material risk of identity theft or other fraud.


Notification may be delayed if law enforcement indicates the notification may interfere with an investigation, otherwise, it must be sent without unreasonable delay (with other stipulations), but not later than 90 days. The Attorney General must be notified within the same time limit. Reporting to Insurance Commissioner with specific information has five day time limit.


Requires detailed information and potential provision of services

(New law) requires appropriate identity theft prevention services to be provided for a period of twelve months. The resident must be given all the information necessary for them to enroll, in addition to credit freeze information.

Disclosure may only be made by written notice, telephone, or electronic, with stipulations. A substitute notice, with specific requirements, may be used if the cost of providing the notice exceeds $250,000 or the persons notified exceeds 500,000 or they do not have sufficient contact information.

Contact the Privacy Experts at CSR