Connecticut Updates Data Breach Law

On July 1, Gov. Dannel Malloy signed legislation that expands the state’s current definition of personal information, and requires new data breach security terms and conditions in every state contract dealing with confidential information.

by Beth Winters / July 1, 2015

Today Connecticut Gov. Dannel Malloy (D) has signed legislation in law, Act 15-142, that will make numerous changes to its existing breach of security law.  

Connecticut’s law will not only expand its current definition of personal information to include biometric data such as fingerprint, voice print, and a retina or iris image; but it will also require new data breach security terms and conditions in every state contract dealing with confidential information shared by a state contracting agency.  Among other changes, Act 15-142 will also require companies doing business in Connecticut to provide identity theft protection services for twelve months at no cost to a resident whose personal information was compromised.    
 
The IT Alliance for Public Sector (ITAPS) and other organizations were concerned with the original bill including the overly broad definitions for “confidential information” and “confidential information breach” that would have complicated compliance for information technology (IT) vendors.  Also troublesome was the original bill’s provisions that established unrealistically short deadlines for notice of a breach of confidential information, requirements for the creation of a plan to mitigate the breach, and a mandate that a vendor must cease using data if there was a breach.  
  
While not all of the concerns raised by stakeholders were addressed, substantial headway was achieved.  You can click here for an ITAPS prepared digest on some of the highlights of Connecticut’s new data security law that will impact IT companies.
 
According to the National Conference of State Legislatures, at least 32 states in 2015 introduced or are considering security breach notification bills that will require reporting to a state agency or attorney general and that expand the definition of personal information.  ITAPS will continue its efforts to monitor data breach legislation proposals.  
 
This is reprinted with permission from ITAPS, a division of the Information Technology Industry Council (ITI).
 
Platforms & Programs