Reporting a Breach of Security Involving Computerized Data

 

Who must provide notice and to whom is it provided?

Any person who experiences a breach of security involving computerized data is required to provide notice to the Office of the Attorney General in addition to the state residents who may be affected.  

Pursuant to Connecticut General Statutes § 36a-701b, any person who owns, licenses or maintains computerized data that includes personal information is required to disclose a security breach to state residents whose personal information is believed to have been compromised.  Note that “any person” includes companies.

When does notice have to be provided?

Notice to consumers must be made without unreasonable delay, and as of October 1, 2021, no later than sixty (60) days from discovery of the breach. See Public Act No. 21-59.

Additionally, notice to the Office of the Attorney General must be provided no later than when residents are notified. Pursuant to Connecticut General Statutes § 36a-701b(g), failure to provide such notice shall constitute a violation of the Connecticut Unfair Trade Practices Act (CUTPA). 

Is anything required in addition to notice?

Yes – if a Connecticut resident’s Social Security number is believed to have been compromised in the data breach, we require that they be offered 24 months of credit monitoring services. As of October 1, 2021, this requirement extends to breaches involving Taxpayer Identification Numbers. See Conn. Gen. Stat. § 36a-701(b)(2)(B) as amended by Public Act No. 21-59.

How should notice be provided to the Office of the Attorney General?

To assist business owners in complying with this requirement, the Office of the Attorney General has a dedicated email address for reporting: ag.breach@ct.govTo simplify the process and minimize the need for the Office of the Attorney General to request additional information, please include the following in any breach notification:

  • Name and contact information of person reporting the breach.
  • Name and address of business that experienced the breach, and the type of business.
  • A general description of the breach, including the date(s) of the breach, when and how the breach was discovered, and any remedial steps taken in response to the breach.
  • The number of Connecticut residents affected by the breach.
  • A detailed list of the categories of personal information subject of the breach.
  • The date(s) that notification was/ will be sent to the affected Connecticut residents.
  • A template copy of the notification sent to the affected Connecticut residents.
  • Whether credit monitoring or identity theft protection services has been or will be offered to affected Connecticut residents, as well as a description and length of such services.
  • Whether the notification was delayed due to a law enforcement investigation (if applicable).