Following a series of data security breaches involving the loss of record amounts of personal information, including one bank's reported loss of up to 10 unencrypted tapes containing names and Social Security numbers, the Connecticut legislature passed Connecticut Public Act No. 08-167 (House Bill No. 5658) . Effective on October 1, 2008, the law requires any individual or business having possession of "Personal Information" of another person to (a) safeguard such data, computer files and documents containing the information from misuse by third parties, and (b) destroy, erase or make unreadable such data, computer files and documents prior to its disposal. Insurers and other financial services firms must comply if they have customers or do business in Connecticut; being physically located in Connecticut is not a prerequisite for compliance.
Under the new law, "Personal Information" means information capable of being associated with a particular individual through one or more identifiers, including, but not limited to, a Social Security number, a driver's license number, a state identification card number, an account number, a credit or debit card number, a passport number, an alien registration number or a health insurance identification number, but does not include publicly available information that is lawfully made available to the general public from federal, state or local government records or widely distributed media.
Additionally, the law requires entities which collect Social Security numbers in the course of business to create and publish or publicly display a privacy protection policy which: (1) protects the confidentiality of Social Security numbers, (2) prohibits the unlawful disclosure of Social Security numbers, and (3) limits access to Social Security numbers.
There is no private cause of action for violations of the law. Only the Connecticut Department of Consumer Protection and some other state agencies have the right to enforce the statute which provides for civil penalties of $500 per violation, up to $500,000 for any single event. The new law does not, however, impose these penalties unless the violations were intentional.
Actions Required by October 1, 2008:
- Review current privacy policies to confirm compliance with the statute
- If not in compliance, develop a privacy protection policy that complies with the statute
- Publish or publicly display such privacy protection policy
- Implement the privacy protection policy, including a policy for safeguarding and destroying Personal Information as described in the statute
- As part of implementing the privacy protection policy, encrypt Personal Information and limit access to Personal Information as appropriate
- Confirm that the privacy protection policy conforms with all other federal and state privacy laws, rules and regulations that are applicable to your business