On 1 July 2015, the US state of Connecticut became the first state to affirmatively require businesses to provide certain security services to consumers by putting into law Public Act No.15-142 "Improving Data Security and Agency Effectiveness" (the Act). The Act builds on previous data protection measures by:
- expanding the definition of personal information to include biometric fingerprints, retina scans and voice prints;
- requiring notice to be given to affected individuals and the Connecticut Attorney General within 90 days of a security breach, thus amending the states data breach notification law;
- requiring all businesses to offer one year of identity theft prevention services to affected individuals at no cost to them; and
- requiring health insurers and contractors who receive personal information from state agencies to implement and maintain minimum data security safeguards such as:
- protect confidential information (an individual's name, date of birth, mother's maiden name, motor vehicle operator's license number, social security number, employee number, alien registration number, passport number etc);
- implement and maintain a comprehensive data-security program for the protection of confidential information;
- limit access to confidential information to authorised contractor employees and agents;
- maintain all electronic data constituting confidential information in a secure server, on a secure drive, behind firewall protections and in a restricted manner;
- implement and maintain security and breach investigation procedures;
- notify the state contracting agency and the Attorney General as soon as practical if there is a confidential information breach;
- immediately cease all use of the data provided by the state contracting agency or developed internally if directed to do so; and
- provide a report on any confidential information breach.
For the full Act, please click here.