Mandated Timeframe for Breach Reporting and/or Consumer Notification
Within 90 days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach notification laws:
- civil penalties of up to $5,000
None to minimal
Connecticut residents affected by a breach of security must be notified without delay, but no later than 90 days after discovery of the breach.
Breach notification to the Attorney General must be competed no later than consumer notifications.
If a breach of security includes individuals’ Social Security numbers, the business must provide all affected individuals with at least 24 months of identity theft prevention or mitigation services at no cost to the individuals.
Businesses must have measures in place for the protection of personal information in their possession, including measures for the secure disposal of electronic and paper records.
Heightened protection and handling requirements apply to Social Security numbers.
If a vendor is breached, they must notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Sector-specific laws (insurance, education, health) require entities to have policies, procedures and security programs in place for the protection of personal information, with requirements such as employee training, vendors contracting, vendor management, and an individual’s right to access their personal information.
Connecticut’s Insurance Data Security Law includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security. Licensees have until 10/1/2020 to comply with the information security requirements, and until 10/1/2021 to comply with the vendor management requirements.
Entities regulated by the Insurance Commissioner have a breach notification deadline of 3 business days.
Statutes and Laws
CT Gen Stat § 36a-701b Breach of Security
CT Gen Stat, Ch. 743dd Protection of Social Security Numbers and Personal Information
CT Gen Stat, Ch, 705 Connecticut Insurance Information and Privacy Protection Act
CT Gen Stat § 10-234aa – 10-234gg Student Data Privacy