A bill currently before Connecticut Governor Dannel P. Malloy would make the state the first in the nation to require identity theft protection for data breach victims. Senate Bill 949 was approved by both the Connecticut Senate and House on June 1, 2015. If passed, it would amend existing state law to require companies to provide at least one year of free identity theft protection to victims of data breaches involving personal information. The law does not explicitly state the type of protections businesses must offer. Connecticut Attorney General George Jepsen has stated he will continue to seek up to two years of identity theft protection for breaches of “highly sensitive information,” including Social Security numbers.

The law would also require businesses to notify affected Connecticut residents and the Connecticut attorney general within 90 days of discovery of a breach. This would clarify the existing law, which requires companies to notify victims only “without unreasonable delay.” This would make Connecticut only one of six states (the others being Florida, Iowa, Louisiana, Vermont, and Washington) to explicitly state a time period for breach notification.

If passed, the law would go into effect October 1, 2015. Connecticut would be the fifth state to make significant changes to its data breach notification laws this year, following Montana, Nevada, North Dakota, and Washington.