Enhance your TRUST relationship with PRIVACY and SECURITY. Privacy Made Simple!

   +1 866 267 0049   830 NE Pop Tilton Place, Jensen Beach, FL 34957

Connecticut
Privacy Laws

Overview

BREACH NOTIFICATION – Mandated Timeframe
Within 60 days

FINES & PENALTIES – Violations
Civil penalties up to $5,000

Legal

Regulation Levels

  • Breach Reporting

    Breach Reporting

  • Consumer Notification

    Consumer Notification

  • Vendor Management

    Vendor Management

  • Vendor Contract Required

    Vendor Contract Required

PRIVACY AND SECURITY LAWS

Laws related to personal information and privacy and security.

QUICK FACTS

Connecticut Privacy Law Information

PRIVACY PROGRAM

Organizations can defend against civil liability from certain causes of actions arising out of a data breach by having a written cybersecurity program that conforms with an industry recognized framework. Organizations in possession of personal information must have measures in place to safeguard personal information, including measures for secure disposal. Heightened protection and handling requirements apply to the collection of Social Security numbers and military identification information, including an Organization’s obligation for a privacy protection policy.

BREACH REPORTING

Breach notification to the Attorney General must be completed no later than consumer notifications. If a breach of security includes individuals’ Social Security numbers, the Organization must provide all affected individuals with at least 24 months of identity theft prevention or mitigation services at no cost to the individuals. The Organization will be responsible to complete any necessary regulatory reporting and consumer notification. Effective 10/1/2021, businesses may have affirmative defenses to certain causes of action arising out of a data breach by having a written cybersecurity program that conforms with an industry-recognized framework.

CONSUMER NOTIFICATION

Connecticut residents affected by a breach of security must be notified without delay, but no later than 60 days after the discovery of the breach. If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside. Effective October 21, 2021, if additional affected residents are discovered after the 60-day notice deadline, those residents must be notified as soon as expediently possible.

INDUSTRY SPECIFIC LAWS
Sector-specific laws (insurance, education, health) require entities to have policies, procedures, and security programs in place for the protection of personal information, with requirements such as employee training, vendor contracting, vendor management, and an individual’s right to access their personal information. Connecticut passed the Insurance Data Security Law, which includes requirements for insurance licensees to protect personal information and investigate and respond to data breaches of security. Effective October 1, 2020 licensees must comply with the breach notification requirements, including Commissioner notification within 3 business days.
FINES & PENALTIES

Organizations may be fined or penalized for willful violations of compliance failures resulting in penalties up to $500,000 per violation.

Connecticut Statutes and Laws

CT GEN STAT § 10-234AA – 10-234GG

Student data privacy

CT GEN STAT § 36A-701b

Breach of security

CT GEN STAT, CH. 705

Connecticut insurance information and privacy protection act

CT GEN STAT, CH. 743dd (42-471(b))

Protection of social security numbers and personal information

CT PUBLIC ACT NO. 21-119

INCENTIVIZING THE ADOPTING OF CYBERSECURITY STANDARDS FOR BUSINESSES

DISCLAIMER

The information provided is not legal guidance or recommendations and are for informational purposes only.