Connecticut
Privacy Laws
Overview
BREACH NOTIFICATION – Mandated Timeframe
Within 60 days
FINES & PENALTIES – Violations
Civil penalties up to $5,000
Regulation Levels
-
Breach Reporting
-
Consumer Notification
-
Vendor Management
-
Vendor Contract Required
PRIVACY AND SECURITY LAWS
Laws related to personal information and privacy and security.
Breach Reporting
Required
Vendor Obligations
Required
Consumer Notification
Required
Vendor Contracts
Not Required
Vendor Notification
Required
Privacy Program
Required
QUICK FACTS
Connecticut Privacy Law Information
Organizations can defend against civil liability from certain causes of actions arising out of a data breach by having a written cybersecurity program that conforms with an industry recognized framework. Organizations in possession of personal information must have measures in place to safeguard personal information, including measures for secure disposal. Heightened protection and handling requirements apply to the collection of Social Security numbers and military identification information, including an Organization’s obligation for a privacy protection policy.
Breach notification to the Attorney General must be completed no later than consumer notifications. If a breach of security includes individuals’ Social Security numbers, the Organization must provide all affected individuals with at least 24 months of identity theft prevention or mitigation services at no cost to the individuals. The Organization will be responsible to complete any necessary regulatory reporting and consumer notification. Effective 10/1/2021, businesses may have affirmative defenses to certain causes of action arising out of a data breach by having a written cybersecurity program that conforms with an industry-recognized framework.
Connecticut residents affected by a breach of security must be notified without delay, but no later than 60 days after the discovery of the breach. If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside. Effective October 21, 2021, if additional affected residents are discovered after the 60-day notice deadline, those residents must be notified as soon as expediently possible.
Organizations may be fined or penalized for willful violations of compliance failures resulting in penalties up to $500,000 per violation.
Connecticut Statutes and Laws
Student data privacy
Breach of security
Connecticut insurance information and privacy protection act
Protection of social security numbers and personal information
INCENTIVIZING THE ADOPTING OF CYBERSECURITY STANDARDS FOR BUSINESSES
DISCLAIMER
The information provided is not legal guidance or recommendations and are for informational purposes only.