Connecticut Assembly Unanimously Votes to Strengthen Data Breach Notification Law

A bill passed by the Senate and House of Representatives mandates all data breaches be reported to Attorney General George Jepsen's office within 90 days.

by Mackenzie Rigg, The News-Times / June 3, 2015
Connecticut Attorney General George Jepsen (pictured) said his office will continue to scrutinize breaches and to take enforcement action against companies that unreasonably delay notification Flickr/Western Connecticut State University

(TNS) -- The Connecticut General Assembly unanimously approved changes late Monday to the state's data-breach notification law, including requiring at least one year of identify-theft protection for victims whose Social Security numbers have been compromised.

Additionally, the bill passed by the Senate and House of Representatives strengthened the law by mandating all data breaches be reported to Attorney General George Jepsen's office within 90 days. The reporting requirement first went into effect on Oct. 1, 2012, but didn't include a deadline.

"We had a good law in place and this makes it better," Jepsen said.

The legislation calls for these two changes to start on Oct. 1 and now goes to Gov. Dannel P. Malloy for consideration.

Since the notification law first took effect in 2012, more than 1,100 reports have been made to the AG's office, including 445 in 2013 and 447 in 2014, records show. That compares to barely 10 reports the year before the law was passed, officials said.

"The unfortunate reality is that, as hackers become more and more sophisticated, it's likely that consumers will continue to be impacted by breaches for the foreseeable future," Jepsen said.

Jepsen said his office will continue to scrutinize breaches and to take enforcement action against companies that unreasonably delay notification, even if the breach is reported less than 90 days after it was discovered.

Since 2012, the breaches reported to the AG's office have varied greatly in scope and size.

Some involved a mere handful of consumers, while others affected several hundred. The potential damage of the breaches also ranged from relatively minor to much more serious.

Reports on data breaches are assessed by one of Jepsen's staff attorneys. In the most serious cases, an investigation results, as it did in dozens of cases since 2012.

Some of these probes ended with an informal agreement to improve security, others in litigation that led to financial penalties against the companies involved. Ongoing investigations include those into breaches at Target, The Home Depot and Neiman Marcus.

Perhaps the most serious ongoing case involves health insurer Anthem, which announced earlier this year that more than 1.7 million Connecticut residents were affected by a cyber attack, compromising the security of information, including names and Social Security number.

©2015 The News-Times (Danbury, Conn.) Distributed by Tribune Content Agency, LLC.

Platforms & Programs