On the heels of Vermont’s recent amendment to its data breach notification law (which we blogged about here), Connecticut’s legislature recently amended its own data breach notification law (Conn. Gen. Stat. § 36a-701b). The amended law will take effect on October 1, 2012.
While several of the changes to the law were non-substantive in nature and more for the sake of clarification, the amended law does impose what seems to be the new trend in data breach notification obligations: the requirement to notify the state attorney general.
Under newly added subsection (b)(2) of the statute, companies that are required to notify Connecticut residents of a data breach must also notify the Attorney General of Connecticut no later than the time when notice is provided to the residents (which, according to subsection (b)(1), must be made without unreasonable delay, subject only to delays resulting from law enforcement investigations and a company-conducted investigation to determine the nature and scope of the incident, identify the individuals affected, or restore the reasonable integrity of the underlying data system).