Connecticut General Statute § 36a-701b
Enacted: 10.1.2012
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
Yes! §36a-701b(a)(1) defines a breach as "unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable."
When is notice required?
Notice is required for all residents of Connecticut that were involved in, or reasonably believed to be involved in the breach. Notice is to be given "without unreasonable delay but not later than ninety days after the discovery of such breach, unless shorter time is required by federal law..." There are exemptions for pending law enforcement investigations and situations where the scope of the breach cannot be determined and/or integrity restored to the system before the 90 day deadline. Notice is typically given via written, telephonic, or electronic means but substitute notice is allowed for special circumstances. There are no requirements for the content of the notice.
What are the penalties for non-compliance?
Failure to comply with the statute "shall constitute an unfair trade practice" under Connecticut law. See §42-110b. The Attorney General has enforcement rights and private citizens may bring causes of action for violations of the statute. Private citizens may be awarded damages for actual losses as well as punitive awards.