Connecticut’s legislature has passed a bill that imposes strict new timing requirements for entities conducting business in the state that experience a data breach, which Governor Malloy reportedly intends to sign into law. Senate Bill 949, An Act Improving Data Security and Agency Effectiveness (“Act”), would require those entities conducting business in the state that own or license the personal information of a Connecticut resident to offer each resident free identity theft protection services for at least one year following a data breach. The current law does not set any threshold for how long a business should offer identity theft protection. In addition, although Connecticut’s existing data breach law requires notice to consumers “without unreasonable delay,” that law does not impose any specific deadline for notices. The Act would add to the “unreasonable delay” standard a requirement that consumer notice be given not later than ninety (90) days from discovery of the breach that compromised confidential information.
Connecticut Attorney General George Jepsen commented on the bill’s passage in a statement, stating that the ninety-day notice requirement is an “outside limit for notification” and that his office “intend[s] to continue to scrutinize breaches and to take enforcement action against companies who unreasonably delay notification – even if notification is provided less than 90 days after discovery of the breach.” The Attorney General also stated that the one-year identity theft protection is a “floor for the duration of the protection.”
In addition to the new timing requirement, the Act adds enforcement provisions, empowering the Attorney General to investigate potential violations by state contractors and to bring a civil action in court for violations. Other provisions of the bill would require state contractors to notify the Attorney General of a breach not later than twenty-four (24) hours after the contractor has reason to believe that confidential information may have been subject to a breach.
Also, if signed into law, health insurers, health providers and third-party administrators will be required to implement several new requirements by October 2017. Specifically, these health-related entities must implement a comprehensive information security program for the protection of “personal information.” The program must “be in writing and contain administrative, technical and physical safeguards appropriate to the size of the company, the data involved, and situational needs.” Among other requirements, businesses will need to designate an employee to oversee the program, conduct post-incident review of any breaches, implement specified technological safeguards, and annually certify to the Department of Insurance their compliance with the applicable security requirements of the Act.
A number of other states have recently passed bills to strengthen their breach notification laws or privacy protections.
The Illinois Senate and House approved a bill to include “consumer marketing information” as personal information in the state’s existing data breach law. The bill, drafted by the Illinois Attorney General, will require notification in the event of a breach of “information related to a consumer’s online browsing history, online search history, or purchasing history.”
In Oregon, Senate Bill 187, a student privacy bill, is pending a vote before the State House of Representatives. The bill aims to stop vendors from using their software to advertise to students or to collect and store students’ personal information.
The California State Senate approved a bill known as the California Electronic Communications Privacy Act (“Cal-ECPA”) that would require law enforcement in California to obtain a search warrant or wiretap order before searching a person’s smartphone, laptop or other electronic device or accessing information stored on remote servers.