Cybersecurity Breaches Must Be Reported to Attorney General; New CT Law Helps Businesses
/Connecticut state law requires any person who conducts business in the state and experiences a breach of security involving computerized data to provide notice to the Office of the Attorney General in addition to state residents who may be affected.
Anyone who conducts business in Connecticut and who– in the ordinary course of business– owns, licenses or maintains computerized data that includes personal information is required to disclose a security breach to state residents whose personal information is believed to have been compromised. Notice to consumers must be made without unreasonable delay but not later than ninety days from discovery of the breach.
The details of Connecticut’s reporting requirements are outlined in Connecticut General Statutes § 36a-701b.
Business owners must also notify the Office of the Attorney General, no later than when the affected residents are notified, according to the law. Failure to provide such notice may be considered a violation of the Connecticut Unfair Trade Practices Act (CUTPA).
To assist business owners in complying with this requirement, the Office of the Attorney General has a dedicated email address for reporting: ag.breach@ct.gov.
“More than ever information systems of American businesses are under attack, threatening not just consumer data, but critical infrastructure,” Attorney General Tong said last month. “The sad reality is that no one is safe—regardless of size or whether you are in the public or private sector—and we all must act to protect our systems.”
Attorney General Tong co-chairs the National Association of Attorneys’ General’s Internet Safety / Cyber Privacy and Security Committee, which serves as a resource for the attorney general community to discuss privacy issues. Tong and a bipartisan coalition of attorneys general urged businesses and government entities to immediately assess their current data security practices and take appropriate steps to protect operations and consumer data.
To simplify the process and minimize the need for the Office of the Attorney General to request additional information, business owners are asked to include the following in any breach notification:
A general description of the breach, including the date(s) of the breach, when and how the breach was discovered, and any remedial steps taken in response to the breach.
The number of Connecticut residents affected by the breach.
A detailed list of the categories of personal information subject of the breach.
The date(s) that notification was/ will be sent to the affected Connecticut residents.
A template copy of the notification sent to the affected Connecticut residents.
The name and contact information of person reporting the breach, and name and address of the business that experienced the breach, along with the type of business should also be provided.
The office should also be informed as to whether credit monitoring or identity theft protection services has been or will be offered to affected Connecticut residents, as well as a description and length of such services. As of October 2018, the required minimum length of credit monitoring is 24 months.
The Privacy and Data Security Department within the Attorney General’s Office handles matters related to the protection of Connecticut residents' personal information and data. The Department enforces state laws governing notification of data breaches, safeguarding of personal information, and protection of social security numbers and other sensitive information.
In addition, this Department provides the Attorney General with advice and counsel on proposed legislation and other matters regarding privacy and data security, and it engages in extensive outreach to citizens and businesses on matters relating to data protection and privacy, according to the Attorney General’s Office.
Governor Ned Lamont signed legislation this summer, approved by the 2021 state legislature and supported by the state’s business community, that would protect businesses from punitive damages if personal or restricted information is improperly accessed, maintained, communicated, or processed, so long as such businesses have adopted and adhered to appropriate cybersecurity measures. It does not diminish other important legal rights and actions that individuals and businesses can take after a cyber breach, according to the Governor’s office.
The legislation is Public Act 21-119, An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses goes into effect on October 1, 2021.
“Trust and security are at the heart of the relationship between businesses, residents, and their digital government,” Mark Raymond, Connecticut’s chief information officer, said when the legislation was signed into law.
“Investing in cybersecurity is an expensive decision that requires a company to dedicate time, staffing, and financial resources to be successful,” added Eric Gjede, vice president of government affairs for the Connecticut Business and Industry Association (CBIA). “This legislation is critical for protecting our most vulnerable industries from the increasing threat of cyberattacks.”
According to a 2018 CBIA survey, nearly one-quarter of Connecticut businesses experienced a data breach or cyberattack in the previous two years. And 90% of those were small businesses with less than 100 employees.
Testifying in support of the legislation earlier this year, Curtis W. Dukes, Executive Vice President & General Manager, Security Best Practices of the nonprofit Center for Internet Security, Inc., described Connecticut’s approach as “a creative way to protect its citizens and organizations from cyber attacks.”
He added: “Cybersecurity is, largely, unregulated today. There is no national statutory minimum standard of information security. This condition makes it difficult to improve cybersecurity on a wholesale basis. Until there is a national legal standard, we are in a period where organizations must voluntarily adopt cyber best practices--the Wild, Wild, West. The result: We are not as safe as we could be.”