?While the federal government attempts to move forward with a more uniform national law, Connecticut joined California, Colorado, Utah, and Virginia in passing a comprehensive consumer privacy law.
The legislation, signed by Connecticut’s governor in May 2022, will take effect on July 1, 2023. However, provisions related to a task force to be convened by the state legislature take effect immediately, and the task force is charged with studying issues that include information-sharing among health care providers, algorithmic decision-making, and possible legislation regarding children’s privacy.
While businesses consider how to comply with Connecticut’s new privacy law, they should also take into account some of the data protection laws already in effect in the state. The following is an overview of just some of the other privacy laws to keep in mind.
Obligation to Safeguard Personal Information
Connecticut law already obligates businesses possessing personal information to safeguard the data, computer files, and documents containing the information from misuse by third parties. The term “personal information” under this law means information capable of being associated with a particular individual through one or more identifiers, including a Social Security number, driver’s license number, state identification card number, account number, credit or debit card number, passport number, alien registration number or health insurance identification number.
This law requires businesses that collect Social Security numbers (SSNs) to create and publish a policy that protects the confidentiality of SSNs, prohibits unlawful disclosure of SSNs, and limits access to SSNs.
It also requires businesses to “destroy, erase or make unreadable such data, computer files and documents prior to disposal.” For this reason, a record retention policy should address not only how long personal information should be retained, but also a secure process for destroying it once the retention period has expired.
Data Breach Notification Law
When the safeguards contemplated above fail to prevent an unauthorized access or acquisition of computerized personal information, Connecticut’s breach notification law is triggered. This law was updated and enhanced in 2021 by An Act Concerning Data Privacy Breaches.
People who own, license or maintain computerized personal information and experience a breach of security involving such information may be required to notify affected Connecticut residents. This law provides a more specific definition of personal information – an individual’s first name or initial and last name in combination with any one or more of the following:
- Social security number.
- Driver’s license number or state identification card number.
- Financial account number in combination with any required security code, access code or password.
- Credit or debit card number.
- Individual taxpayer identification number.
- Identity protection personal identification number issued by the IRS.
- Passport number, military identification number, or other identification number issued by the government.
- Medical information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional.
- Health insurance policy number or subscriber identification number.
- Biometric information, such as a fingerprint, voice print, retina or iris image.
- Username or email address in combination with a password or security question and answer.
In general, notice must be made to residents and the State’s Attorney General without unreasonable delay, but no later than 60 days after the discovery of a breach. However, notification is not required if, after an appropriate investigation, the business reasonably determines that the breach will not likely result in harm to the affected individuals whose personal information has been acquired or accessed. If notification is required, and if the breach involved a resident’s SSN or taxpayer identification number, the business shall offer the resident “appropriate identity theft prevention services” for no less than 24 months.
In the unfortunate event that a business experiences a breach of security potentially affecting Connecticut residents, it will need to carefully consider these and other provisions of the law.
The long and short of the requirements above, which also exist in many other states, is that businesses need a comprehensive, written information security program, which includes robust incident response and record retention and destruction plans.
Jason C. Gavejian and Joseph J. Lazzarotti are lawyers with Jackson Lewis in Berkley Heights, N.J. © 2022. All rights reserved. Reprinted with permission.