For nearly a decade, the Connecticut Attorney General (“AG”) has requested or encouraged companies to provide at least two years of free credit monitoring to Connecticut residents following breaches involving information relating to those individuals. On June 11, 2015, Connecticut Governor Malloy signed into law a bill (“SB 949”) that will actually require companies to offer free credit monitoring to Connecticut residents. Connecticut now joins California as the only other state that has some form of credit monitoring requirement for breaches.
Specifically, effective October 1, 2015, SB 949 will require a company that experiences a noticeable breach involving a Connecticut resident’s name and Social Security number (“SSN”) to offer that individual, at no cost, “appropriate identity theft prevention services and, if applicable, identity theft mitigation services” for a period of not less than one year. For such a breach, SB 949 will require that the notice to the Connecticut resident include information on how to enroll in the free service, as well as information on how the individual can place a credit freeze on her credit file (similar to the Massachusetts breach law).
SB 949 also amends the law’s existing requirement that a company provide notice of a breach “without unreasonable delay.” Specifically, the amendment specifies that such notice must be provided no “later than  days after the discovery of the breach, unless a shorter time is required under federal law.” This amendment is odd because the few states that actually specify a maximum time period for notice typically have elected for far shorter timeframes (e.g., Florida requires notice no later than 30 days following the determination that a breach has occurred). Nonetheless, in a press release issued by the Connecticut AG regarding SB 949, the AG cautioned that the bill sets an “outside limit” for the timing of notification and that “[t]here may be circumstances under which it is unreasonable to delay notification for 90 days.” In this regard, the AG stated that he intends “to continue to scrutinize breaches and to take enforcement action against companies who unreasonably delay notification – even if notification is provided less than 90 days after discovery of the breach” (emphasis added).
The big news in this amendment is the requirement to provide free identity theft prevention services for SSN breaches. Even though not legally required in the overwhelming majority of states, free credit monitoring has become a common practice, particularly for breaches involving SSNs and increasingly for high-profile breaches. With this backdrop in mind, the scope of the Connecticut amendment is surprisingly narrow.
First, the offer of free identity theft prevention services will only be required for breaches involving SSNs. That is, an offer of free identity theft prevention services will not be required for breaches involving other types of covered personal information, such as driver’s license numbers and payment card information. This approach endorses a position that many companies have long held—that credit monitoring is appropriate only when the breach creates an actual risk of new account identity theft (as opposed to fraud on existing accounts). However, unlike the California law, the Connecticut law will not require that companies offer free credit monitoring for breaches involving driver’s license numbers.
In addition, the offer of free identity theft prevention services will only be required for a period of one year. The Connecticut AG, however, has typically requested that companies offer at least two years (and sometimes more) of free credit monitoring for SSN breaches. The Connecticut AG strongly reiterated this point in his press release regarding SB 949. Specifically, the AG stated that SB 949 “sets a floor for the duration of the protection and does not state explicitly what features the free protection must include.” In this regard, the AG highlighted his belief that his enforcement authority allows him “to seek more than one year’s protection – and to seek broader kinds of protection – where circumstances warrant.” More bluntly, the Connecticut AG stated that for “matters involving breaches of highly sensitive information, like [SSNs], my practice has been to demand two years’ of protections,” and he “intend[s] to continue to that practice.”