Reporting a Breach of Security Involving Computerized Data
Who must provide notice and to whom is it provided?
Any person who experiences a breach of security involving computerized data is required to provide notice to the Office of the Attorney General in addition to the state residents who may be affected.
Pursuant to Connecticut General Statutes § 36a-701b, any person who owns, licenses or maintains computerized data that includes personal information is required to disclose a security breach to state residents whose personal information is believed to have been compromised. Note that “any person” includes companies.
When does notice have to be provided?
Notice to consumers must be made without unreasonable delay, and as of October 1, 2021, no later than sixty (60) days from discovery of the breach. See Public Act No. 21-59.
Additionally, notice to the Office of the Attorney General must be provided no later than when residents are notified. Pursuant to Connecticut General Statutes § 36a-701b(g), failure to provide such notice shall constitute a violation of the Connecticut Unfair Trade Practices Act (CUTPA).
Is anything required in addition to notice?
Yes – if a Connecticut resident’s Social Security number is believed to have been compromised in the data breach, we require that they be offered 24 months of credit monitoring services. As of October 1, 2021, this requirement extends to breaches involving Taxpayer Identification Numbers. See Conn. Gen. Stat. § 36a-701(b)(2)(B) as amended by Public Act No. 21-59.
How should notice be provided to the Office of the Attorney General?
The Office of the Attorney General now has a simple, fillable online form to submit a breach notification, located here
Completing and submitting this online form is the Office’s preferred method for receiving notice about a data breach. It is designed to address the most common questions we have and should therefore reduce our need to contact you for additional information.
Before filling out this form, here’s what you need to know:
- The system cannot save your form, so please complete it in one sitting. To prepare, you can preview the form here
- If you need to return to a previous page, click the green “BACK” button at the bottom of each page. Do not hit the “back” arrow on your browser or your submission will be cleared.
- If you experienced more than one breach, please submit a separate data breach notice for each.
What happens after I submit my completed Data Breach Notice form?
You will receive a confirmation email that your notice was successfully submitted along with a summation of your filing. You will receive a subsequent e-mail providing a case number for reference in any future communications regarding the breach, including if you need to update, amend, or supplement your submission. All case numbers begin with PR followed by seven digits (e.g. PR1234567).
What should I do if I have previously submitted a data breach notification form and wish to update, amend or supplement my submission?
Please send an email to email@example.com to provide your update and include the reporting entity’s name and your case number in the subject line. If there are any follow-up questions or concerns, a staff member with the Office of the Attorney General’s Privacy and Data Security Section will contact you.
Who should I contact with questions or feedback about this form?
If you have any questions or comments about this form or if you have any questions about providing notice to our office, please send an email to firstname.lastname@example.org. Please include a relevant subject line (e.g. comments on data breach notice form, data breach question, etc.) in your email.