On June 11, Connecticut SB949 became a Public Act, after being passed by both chambers of the state legislature. Governor Dannel Malloy can now either sign the bill or take no action for it to become law. SB949 will, among other provisions, require companies that experience a security breach requiring notice to individuals under Connecticut law and involving the individual’s Social Security Number to offer “applicable identity theft prevention services, and, if applicable, identity theft mitigation services” at no cost for at least twelve months. This requirement will take effect on October 1, 2015. In 2014, California’s legislature attempted to pass a similar requirement, but the bill that was passed only includes a requirement for identity theft prevention and mitigation services, when offered, to be offered for a period of at least twelve months.
In addition to the requirement to provide identity theft prevention and mitigation services, the Connecticut bill codifies a hard deadline to provide notice of security breaches to the affected individuals of not later than ninety days after the discovery of the breach, unless an exception applies or a shorter time is required by another federal law.
Companies should not view the 90-day deadline as a safe harbor, however. The same day that SB949 was passed by Connecticut’s House of Representatives, Attorney General George Jepsen issued a statement with his thoughts on both the notification deadline and the requirement for identity theft mitigation services. “We intend to continue to scrutinize breaches and to take enforcement action against companies who unreasonably delay notification – even if notification is provided less than 90 days after discovery of the breach.”
Similarly, with respect to identity theft mitigation services, Jepsen stated that the twelve month duration should be considered a floor, not a ceiling. “I continue to have enforcement authority to seek more than one year’s protection – and to seek broader kinds of protection – where circumstances warrant. Indeed, in matters involving breaches of highly sensitive information, like Social Security numbers, my practice has been to demand two years’ of protections. I intend to continue to that practice,” Jepsen said.