We have been following proposed legislation to modify the Connecticut data breach notification law as it worked its way (unsuccessfully) through the 2012 General Session of the legislature. To our surprise, it has, nonetheless, been passed as part of the state’s General Assembly’s Special Session — included in the state’s Budget Bill as Section 130. The text of the Budget Bill linked in this blog post includes the marked changes to Section 36a-701b.
The revised version of Section 36a-701b, will be effective October 1, 2012, and requires the reporting of a “breach of security” to the Connecticut Attorney General. This is in addition to any other data breach reporting requirements that already exist under Connecticut’s data breach notification law, or promulgated by industry regulators (e.g., Connecticut Department of Insurance Bulletin IC-25). Failure to comply constitutes an unfair trade practice under Connecticut General Statutes Section 42-110b and is enforceable by the Attorney General. As we also reported in this space, last year the Connecticut Attorney General’s office announced that it has established a Privacy Task Force.