Mandated Timeframe for Breach Reporting and/or Consumer Notification

Within 90 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- civil penalties of up to $5,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Connecticut residents affected by a breach of security must be notified without delay, but no later than 90 days after discovery of the breach.
  • Breach notification to the Attorney General must be competed no later than consumer notifications.
  • If a breach of security includes individuals’ Social Security numbers, the business must provide all affected individuals with at least 24 months of identity theft prevention or mitigation services at no cost to the individuals.
  • Businesses must have measures in place for the protection of personal information in their possession, including measures for the secure disposal of electronic and paper records.
  • Heightened protection and handling requirements apply to Social Security numbers.
  • If a vendor is breached, they must notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Sector-specific laws (insurance, education, health) require entities to have policies, procedures and security programs in place for the protection of personal information, with requirements such as employee training, vendors contracting, vendor management, and an individual’s right to access their personal information.
  • Connecticut’s Insurance Data Security Law includes requirements for insurance licensees to protect personal information and investigate and respond to breaches of security.
  • [Effective October 1, 2020] Entities regulated by the Insurance Commissioner have a breach notification deadline of 3 business days.
Statutes and Laws
  • CT Gen Stat § 36a-701b Breach of Security
  • CT Gen Stat, Ch. 743dd Protection of Social Security Numbers and Personal Information
  • CT Gen Stat, Ch, 705 Connecticut Insurance Information and Privacy Protection Act
  • CT Gen Stat § 10-234aa – 10-234gg Student Data Privacy
BAck to map