The Office of the Attorney General William Tong

Reporting a Data Breach

Pursuant to Conn. Gen. Stat. § 36a-701b, any person who owns, licenses or maintains computerized data that includes personal information is required to disclose a security breach to the Office of the Attorney General and to state residents whose personal information is believed to have been compromised.  Note that “any person” includes companies.

Report a data breach using the Connecticut Attorney General’s online submission form here.

Below are answers to Frequently Asked Questions on data breach reporting obligations.

  • What does notice have to be provided?

    Notice to consumers must be made without unreasonable delay and no later than sixty (60) days from discovery of the breach. Additionally, notice to the Office of the Attorney General must be provided no later than when residents are notified. Pursuant to Conn. Gen. Stat. § 36a-701b(g), failure to provide such notice shall constitute a violation of the Connecticut Unfair Trade Practices Act (CUTPA). 

  • Is anything required in addition to notice?

    Yes—if a Connecticut resident’s Social Security number or Taxpayer Identification Number is believed to have been compromised in the data breach, Connecticut law requires that the resident be offered 24 months of credit monitoring services. See Conn. Gen. Stat. § 36a-701(b)(2)(B).

  • How should notice be provided to the Office of the Attorney General?

    The Office of the Attorney General now has a simple, fillable online form to submit a breach notification, located here. Completing and submitting this online form is the Office’s preferred method for receiving notice about a data breach. It is designed to address the most common questions we have and reduces our need to contact you for additional information. Before filling out this form, here’s what you need to know:

    • The system cannot save your form, so please complete it in one sitting. To prepare, you can preview the form here.
    • If you need to return to a previous page, click the green “BACK” button at the bottom of each page. Do not hit the “back” arrow on your browser or your submission will be cleared.
    • If you experienced more than one breach, please submit a separate data breach notice for each.
  • What happens after I submit my completed Data Breach Notice form?
    You will receive a confirmation email that your notice was successfully submitted along with a summation of your filing. You will receive a subsequent e-mail providing a case number for reference in any future communications regarding the breach, including if you need to update, amend, or supplement your submission. All case numbers begin with PR followed by seven digits (e.g. PR1234567).
  • What should I do if I have previously submitted a data breach notification form and wish to update, amend or supplement my submission?

    Please send an email to ag.breach@ct.gov to provide your update and include the reporting entity’s name and your case number in the subject line. If there are any follow-up questions or concerns, a staff member with the Office of the Attorney General’s Privacy and Data Security Section will contact you. 

  • Who should I contact with questions or feedback about this form

    If you have any questions or comments about this form or if you have any questions about providing notice to our office, please send an email to ag.breach@ct.gov. Please include a relevant subject line (e.g. comments on data breach notice form, data breach question, etc.) in your email.