On October 1, 2008, a new Connecticut law will impose additional obligations on companies and individuals that possess personal information belonging to third parties. The law establishes general safeguarding and disposal requirements applicable to all personal information and, more particularly, requires companies and individuals that collect Social Security numbers in the ordinary course of business to create, publish and comply with privacy protection policies. The law applies to all companies and individuals doing business in Connecticut, and could extend to non-resident corporations who solicit information from Connecticut consumers. Businesses and individuals who intentionally violate the law will face civil penalties up to $500,000.

Public Act Number 08-167 significantly expands data management obligations on businesses that have remained, for the most part, unregulated in this area. The law could apply to retailers, landlords, employers and service providers who thus far have had to comply only with sector-specific legislation such as the Gramm-Leach-Bliley Act, HIPAA and the Fair Credit Reporting Act.

The new law’s obligations are threefold:

1. Any company or individual that collects Social Security numbers in the ordinary course of business will be required to create a privacy protection policy. The policy must be published or publicly displayed. The policy must:

  • protect the confidentiality of Social Security numbers,
  • prohibit unlawful disclosure of Social Security numbers and
  • limit access to Social Security numbers.

A party may comply with the public display requirement by posting the policy on a web page, but alternative publication may sometimes be more appropriate. For example, it would be prudent for a business that solicits Social Security numbers through the mail to reference its privacy policy in the mailed solicitation.

2. The law imposes a broad safeguarding duty on any company or individual in possession of the personal information of others, whether maintained in paper or electronic form. The law defines “personal information” to include Social Security numbers, drivers’ license numbers, state identification card numbers, account numbers, credit or debit card numbers, passport numbers, alien registration numbers and health insurance identification numbers. This list is not exhaustive, however. The statute defines “personal information” as “information capable of being associated with a particular individual through one or more identifiers.” This suggests that information such as medical records or possibly even cellular phone numbers may be included.

The legislation does not elaborate on the duty to safeguard, but Federal Trade Commission guidance on similar legislation suggests that safeguarding is an ongoing process. To fully comply, businesses may be required to risk-classify the types of personal information they collect, process, transmit and discard. Based upon the risk classification of each element of personal information, businesses may have to implement and periodically review data security policies in order to assure that the information is subject to appropriate administrative, technical and physical safeguards.

3. The law addresses the disposal of data, computer files and documents containing personal information. A party must destroy, erase or otherwise make the information unreadable before disposing of it. Under the law, erasing hard drives and other electronic media may not be sufficient, since erasure does not guarantee that electronic information is no longer recoverable. Instead, more effective data destruction methods, such as physical shredding of electronic media and paper, may be advisable.

Through this new law, Connecticut is taking a lead role in a movement away from sector-specific data protection legislation and towards generalized, wholesale requirements on all companies and individuals who possess the personal information of others. Though other states have enacted legislation pertaining to personal data security, relatively few states impose general safeguarding requirements on businesses, and even fewer require a privacy policy. As legislation in this area proliferates, it will be important for businesses to keep track of the steps they have taken under the law so that they may proactively adopt policies and procedures to remain in compliance.

With the passage of this new law, as of October 1, 2008, virtually every company doing business in Connecticut will be required to implement a program to safeguard personal information and publish a privacy policy for the protection of Social Security numbers. The period leading up to the effective date is an excellent opportunity for Connecticut-based employers to conduct a company-wide audit of their privacy policies (and their Internet terms of use). At the very least, however, we urge our clients to take the necessary steps to ensure they comply with their new legal obligations under Public Act Number 08-167.