In the wake of several high profile data breaches, the Connecticut legislature has passed a new statute that mandates credit monitoring for affected Connecticut residents as a remedy for such breaches. Governor Dannel Malloy signed the law, which amends and updates the state's current data security statute, on June 11. It will go into effect on October 1, 2015.
Previously, the Attorney General's office merely sent a "request" for companies who had suffered a data breach to provide at least two years of credit monitoring or identity protection to affected Connecticut residents. The new law, Public Act 15-142, nowrequires that Connecticut residents who have had their personal "confidential information" stolen receive identity theft prevention services for free, for at least one year after the breach. Residents must receive notice of the breach no later than ninety days after its discovery, along with information on how to place a freeze on their credit files. Attorney General George Jepsen has stated that these standards are the bare minimum required. The ninety day limit is an "outside limit", and his office will continue to "demand two years of protections" when it believes it necessary.
The statute also requires all companies who hold personal confidential information to protect that information in specific ways. For example, companies must maintain the confidential data in a secure server, on secure drives, behind firewall protections and monitored by intrusion detection software, and in a manner which restricts access to authorized personnel only. Encryption of all personal information is mandatory.
On a federal level, the Data Security and Breach Notification Act of 2015 is currently being considered by Congress. This act seeks to "replace the current patchwork of laws with a single, national standard for protection and notification." But opponents worry that it is too lax, and that it will preempt more comprehensive and rigorous state standards, such as those implemented by Connecticut.
Law Clerk Alison Siedor (Siedor@raymondlawgroup.com) contributed to this post.