On October 1, 2008, a new Connecticut law will impose additional obligations on companies and individuals that possess personal information belonging to third parties. The law establishes general safeguarding and disposal requirements applicable to all personal information and, more particularly, requires companies and individuals that collect Social Security numbers in the ordinary course of business to create, publish and comply with privacy protection policies. The law applies to all companies and individuals doing business in Connecticut, and could extend to non-resident corporations who solicit information from Connecticut consumers. Businesses and individuals who intentionally violate the law will face civil penalties up to $500,000.
Public Act Number 08-167 significantly expands data management obligations on businesses that have remained, for the most part, unregulated in this area. The law could apply to retailers, landlords, employers and service providers who thus far have had to comply only with sector-specific legislation such as the Gramm-Leach-Bliley Act, HIPAA and the Fair Credit Reporting Act.
The new law’s obligations are threefold:
1. Any company or individual that collects Social Security numbers in the ordinary course of business will be required to create a privacy protection policy. The policy must be published or publicly displayed. The policy must:
- protect the confidentiality of Social Security numbers,
- prohibit unlawful disclosure of Social Security numbers and
- limit access to Social Security numbers.
2. The law imposes a broad safeguarding duty on any company or individual in possession of the personal information of others, whether maintained in paper or electronic form. The law defines “personal information” to include Social Security numbers, drivers’ license numbers, state identification card numbers, account numbers, credit or debit card numbers, passport numbers, alien registration numbers and health insurance identification numbers. This list is not exhaustive, however. The statute defines “personal information” as “information capable of being associated with a particular individual through one or more identifiers.” This suggests that information such as medical records or possibly even cellular phone numbers may be included.
The legislation does not elaborate on the duty to safeguard, but Federal Trade Commission guidance on similar legislation suggests that safeguarding is an ongoing process. To fully comply, businesses may be required to risk-classify the types of personal information they collect, process, transmit and discard. Based upon the risk classification of each element of personal information, businesses may have to implement and periodically review data security policies in order to assure that the information is subject to appropriate administrative, technical and physical safeguards.
3. The law addresses the disposal of data, computer files and documents containing personal information. A party must destroy, erase or otherwise make the information unreadable before disposing of it. Under the law, erasing hard drives and other electronic media may not be sufficient, since erasure does not guarantee that electronic information is no longer recoverable. Instead, more effective data destruction methods, such as physical shredding of electronic media and paper, may be advisable.