On 1 July 2015, the US state of Connecticut became the first state to affirmatively require businesses to provide certain security services to consumers by putting into law Public Act No.15-142 "Improving Data Security and Agency Effectiveness" (the Act). The Act builds on previous data protection measures by:

  • expanding the definition of personal information to include biometric fingerprints, retina scans and voice prints;
  • requiring notice to be given to affected individuals and the Connecticut Attorney General within 90 days of a security breach, thus amending the states data breach notification law;
  • requiring all businesses to offer one year of identity theft prevention services to affected individuals at no cost to them; and
  • requiring health insurers and contractors who receive personal information from state agencies to implement and maintain minimum data security safeguards such as:
    • protect confidential information (an individual's name, date of birth, mother's maiden name, motor vehicle operator's license number, social security number, employee number, alien registration number, passport number etc);
    • implement and maintain a comprehensive data-security program for the protection of confidential information;
    • limit access to confidential information to authorised contractor employees and agents;
    • maintain all electronic data constituting confidential information in a secure server, on a secure drive, behind firewall protections and in a restricted manner;
    • implement and maintain security and breach investigation procedures;
    • notify the state contracting agency and the Attorney General as soon as practical if there is a confidential information breach;
    • immediately cease all use of the data provided by the state contracting agency or developed internally if directed to do so; and
    • provide a report on any confidential information breach.

For the full Act, please click here.