Legislative Alert: Enhanced Privacy Protections Signed Into Law in Connecticut

July 21, 2021 Connecticut is part of the steady stream of states enacting more complicated and demanding data privacy and cybersecurity laws in 2021. The state joins Colorado and California in adding both a new privacy law and a new cybersecurity law. In this post, we review the key elements of Connecticut's Act Concerning Data Privacy Breaches and its Act Incentivizing the Adoption of Cybersecurity Standards for Businesses.

By: Shelly Hall & Richard W. Goldberg

Connecticut is part of the steady stream of states enacting more complicated and demanding data privacy and cybersecurity laws in 2021. The state joins Colorado and California in adding both a new privacy law and a new cybersecurity law. 

More Privacy Provisions - An Act Concerning Data Privacy Breaches 

The Connecticut legislature approved An Act Concerning Data Privacy Breaches (the Privacy Act) earlier this year. The “Statement of Purpose” for the Privacy Act is “[t]o expand the data privacy breach notification statute to protect consumers.” The Privacy Act was championed by Connecticut’s Attorney General and signed into law by Governor Ned Lamont on June 16, 2021. The new law, typical of all recent similar legislation, adds new burdens for organizations suffering data security incidents. 

The Privacy Act expanded the category of “personal information” to include:

  • individual taxpayer identification number;
  • identity protection personal identification number issued by the Internal Revenue Service;
  • passport number;
  • military identification number;
  • other identification number issued by the government that is used to verify identity;
  • medical information regarding an individual's medical history, mental or physical condition or medical treatment or diagnosis by a health care professional;
  • health insurance policy number or subscriber identification number;
  • any unique identifier used by a health insurer to identify the individual;
  • biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics and used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina or iris image; and
  • user name or electronic mail address, in combination with a password or security question and answer that 

The Privacy Act also shortens the notification window from 90 days to 60 days. However, Connecticut law still provides for “the completion of an investigation by such person to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the data system.” 

An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses

In addition, Connecticut’s legislature approved An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses (the Cybersecurity Act), which was signed into law on July 6, 2021. The Statement of Purpose for the Cybersecurity Act is “[t]o incentivize the adoption of cybersecurity standards for businesses by allowing businesses that adopt certain cybersecurity framework to plead an affirmative defense to any cause of action that alleges that a failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information.”

The Cybersecurity Act protects a business from punitive damages in litigation “if such entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework…” The Cybersecurity Act provides the following examples of acceptable frameworks: 

  • The Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology; 
  • The National Institute of Standards and Technology's special publication 800-171; 
  • The National Institute of Standards and Technology's special publications 800-53 and 800-53a; 
  • The Federal Risk and Management Program's FedRAMP Security Assessment Framework; 
  • The Center for Internet Security's Center for Internet Security Critical Security Controls for Effective Cyber Defense; or 
  • The ISO/IEC 27000-series information security standards published by the International Organization for Standardization and the International Electrotechnical Commission.

A business enacting a cybersecurity program using one of these frameworks must keep up with any updates issued and revise their programs within six months of those updates. 

Preparing for the Privacy and Cybersecurity Acts in Connecticut 

Businesses with operations in the Constitution State should be proactive in ensuring compliance with the Privacy Act by reviewing the information they store and the measures taken to protect that information. One relatively easy task for businesses is to take the time to destroy old and useless data. Businesses also must also recognize that the categories of regulated data are constantly expanding, so that continuing to store data merely because it is not regulated now may lead to problems down the road when the next act is passed. In addition, businesses can also obtain some protection from liability for privacy violations by creating a cybersecurity program in accordance with the Cybersecurity Act now. 

Lewis Brisbois’ Data Privacy & Cybersecurity Team has considerable experience advising businesses on such matters and working closely with the senior leadership of organizations to craft appropriate policies and procedures to ensure compliance with all state and federal data security regulations. 

For more information on these Acts, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up. Visit our Data Privacy & Cybersecurity Practice page to learn more about this team’s capabilities.