Reporting a Breach of Security Involving Computerized Data
Who must provide notice and to whom is it provided?
Connecticut state law requires any person who conducts business in the state and experiences a breach of security involving computerized data to provide notice to the Office of the Attorney General in addition to state residents who may be affected.
Pursuant to Connecticut General Statutes § 36a-701b, anyone who conducts business in Connecticut and who– in the ordinary course of business– owns, licenses or maintains computerized data that includes personal information is required to disclose a security breach to state residents whose personal information is believed to have been compromised. Notice to consumers must be made without unreasonable delay but not later than ninety days from discovery of the breach.
Additionally, business owners must notify the Office of the Attorney General no later than when the affected residents are notified. Failure to provide such notice may be considered a violation of the Connecticut Unfair Trade Practices Act (CUTPA).
How should notice be sent to the Office of the Attorney General?
To assist business owners in complying with this requirementTo assist business owners in complying with this requirement, the Office of the Attorney General has a dedicated email address for reporting: ag.breach@ct.gov. To simplify the process and minimize the need for the Office of the Attorney General to request additional information, please include the following in any breach notification:
- Name and contact information of person reporting the breach.
- Name and address of business that experienced the breach, and the type of business.
- A general description of the breach, including the date(s) of the breach, when and how the breach was discovered, and any remedial steps taken in response to the breach.
- The number of Connecticut residents affected by the breach.
- A detailed list of the categories of personal information subject of the breach.
- The date(s) that notification was/ will be sent to the affected Connecticut residents.
- A template copy of the notification sent to the affected Connecticut residents.
- Whether credit monitoring or identity theft protection services has been or will be offered to affected Connecticut residents, as well as a description and length of such services.*
- Whether the notification was delayed due to a law enforcement investigation (if applicable).
*Please note that, effective October 1, 2018, the required minimum length of credit monitoring is now twenty-four months. See Conn. Gen. Stat. § 36a-701(b)(2)(B).