Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: No later than 60 days
Government Notification Required: Yes
Scope of This Summary:
Notification requirements applicable to any persons who conduct business in the state and own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if, after appropriate investigation and consultation with relevant federal, state, and local law enforcement, the covered entity reasonably determines the breach will not likely result in harm to affected residents.
Unauthorized access to or acquisition of covered info.
Encryption Safe Harbor
Statute does not apply to information that is encrypted or secured by other methods that render them unreadable or unusable.
Form of Covered Information
An individual's first name or first initial and last name in combination with any one or more of the following data elements:
- Social Security number.
- Taxpayer identification number.
- Identity protection personal identification number issued by the United States Internal Revenue Service.
- Driver's license number, state identification card number, passport number, military identification number or other identification number issued by the government that is commonly used to verify identity.
- Credit or debit card number.
- Financial account number in combination with any required security code, access code or password that would permit access to such financial account.
- Medical information, meaning any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional.
- Health insurance information, meaning an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual.
- Biometric information, meaning data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain the individual's identity, such as a fingerprint, voice print, retina or iris image.
- Username or email address in combination with a password or security question and answer that would permit access to an online account.
- Precise geolocation data (effective Oct. 1, 2023).
Consumer Notice Timing
Must be made without unreasonable delay but no later than 60 days after the discovery of the breach, unless a shorter time is required under federal law, subject to completion of an investigation to determine the nature and scope of the incident, to identify those affected, or to restore the reasonable integrity of the system.
Consumer Notice Method
By written notice, telephone notice, or electronic notice if it is consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
If Social Security numbers are breached or reasonably believed to have been breached, must offer appropriate identity theft prevention and, if applicable, mitigation services at no cost to the resident for not less than 24 months, as well as information on how the resident can place a credit freeze.
Notification may be delayed if law enforcement determines that notice will impede a criminal investigation and law enforcement requests notification be delayed.
Covered entity must also provide notice to the Connecticut Attorney General no later than the time notice is provided to the resident.
Consumer Reporting Agency Notice
The Connecticut general breach notification and insurance data security statutes do not require notification to credit reporting agencies.
Exceptions for Other Laws
A covered entity will be deemed compliant with the statute if, in the event of a breach, the covered entity
complies with the breach notification requirements of its functional regulator as defined by the Gramm-Leach-Bliley Act at 15 U.S.C. 6809(2) and notifies affected residents of a breach in accordance with those requirements.
If you maintain covered info on behalf of another entity, you must notify it immediately following discovery of breach.
Private Right of Action
The Connecticut general breach notification statute does not provide for a private right of action.
Violations may result in civil penalties.