Photo of

New Data Breach Reporting Requirement to Connecticut Attorney General Passed as Part of Connecticut Legislature’s Budget Bill

Posted by Steven J. Bonafonte, June 15, 2012

For those of us who were watching this proposed legislation unsuccessfully move its way through the 2012 General Session, we see now that it was passed as part of the Connecticut General Assembly’s Special Session by attaching it as Section 130 of the Budget Bill.

The new statute, Section 36a-701b, will be effective October 1, 2012, and requires the reporting of a “breach of security” to the Connecticut Attorney General.  This is in addition to any other data breach reporting requirements that exist in the Connecticut Statutes or promulgated by industry regulators (e.g., Connecticut Department of Insurance Bulletin IC-25).   Failure to comply constitutes an unfair trade practice under Connecticut General Statutes Section 42-110b  and is enforceable by the Attorney General.

We continue to strongly advise that businesses have a system to monitor and adjust their internal data breach response policies and procedures in order to comply with these actively changing laws.   While special attention should be given to the domicile state, businesses must be aware that laws of other states may apply if they maintain or use personal information of residents of those states.   Additionally, these laws are increasingly providing for more active enforcement mechanisms that enable monetary damages or fines – both of which can be costly to defend and harmful to the brand reputation of the business if reported in the media.

Back to Top