Data breach bill hits governor’s desk in Connecticut

If Connecticut Gov. Dan Malloy signs SB 949, new requirements on businesses in the state for data breaches will go into effect.

After a number of high-profile data breaches affected customers in the Connecticut, the state Legislature sent a bill to the governor’s desk that would provide greater consumer protections after breaches.

According to the Hartford Courant, which spoke with a spokesman for Gov. Dannel Malloy, the governor will sign the legislation into law.

The bill, if signed, would require greater assurances around data security for any person who contracts with the state and anyone who does business within the state’s borders. The bill would also require at least a year of free identity theft protection for any customer who is a victim of a data breach that compromises confidential information, such as a Social Security number or a person’s name.

Under the proposed law, businesses would be required to notify victims within 90 days of a cyber attack or data breach that comprised personally identifiable or financial information. Under Connecticut’s current law, businesses must notify consumers “without unreasonable delay,” but no specific timeline for post-breach action exists. Businesses also are not currently required to provide identity theft protection.


Connecticut Attorney General George Jepsen said in a statement that the new law’s requirement for at least one year of identity theft protection “sets a floor for the duration of the protection and does not state explicitly which features the free protection must include.”

“I continue to have the enforcement authority to seek more than one year’s protection — and to seek broader kinds of protection — where circumstances warrant,” Jepsen said. “Indeed, in matters involving breaches of highly sensitive information, like Social Security numbers, my practice has been to demand two years of protections. I intend to continue that practice.”

Jepsen also said the 90-day notification requirement does not limit his ability to pursue companies that “unduly delay notifying those whose data has been compromised or my office.”

Earlier this year, in February, Anthem Inc. acknowledged a breach that had compromised the personal data of tens of millions of people across the U.S. In Connecticut, more than 1.7 million people, who were current and past members of Anthem’s health insurance plans, were affected.

Read more at the Hartford Courant.

Latest Podcasts