This past Monday, Connecticut legislators voted unanimously to approve two new changes to Connecticut’s breach notification law. Senate Bill 949 will require businesses to (1) provide at least one year of identity theft protection to Connecticut residents affected by a data breach, and (2) report all data breaches to impacted residents and the Connecticut Attorney General within 90 days of discovery. The bill is now before Connecticut Governor Dannel P. Malloy who can either sign the bill or take no action for it to become law. If the bill becomes law, it is expected to take effect October 1, 2015.
While complimentary identity theft protection is often provided to affected consumers by companies following a breach, Connecticut’s amendment, if it becomes law, would make it the first state to require companies to provide it. In addition, the amendment would make Connecticut one of only six states (joining Florida, Iowa, Louisiana, Vermont, and Washington) to set a fixed time frame for regulator notification.
Connecticut will join four other states who have made significant updates to breach notification laws this year. Montana, North Dakota, Nevada, and Washington have all enhanced protections for consumers by enacting new breach notification laws slated to take effect before the fall. This trend suggests that legislatures will continue to modify data breach notification laws as more and more states enact robust data breach legislation.