Press Releases

Attorney General William Tong

02/24/2020

Attorney General Tong Releases Testimony in Support of Update to Connecticut Data Breach Notification Statute

Attorney General William Tong today testified before the General Law Committee in support of Senate Bill 137, An Act Concerning Data Privacy Breaches. The bill, sought by the Office of the Attorney General, updates and strengthens Connecticut’s breach notification statute.

In 2005, Connecticut passed one of the nation’s first laws protecting consumers from online data breaches. Since then, technology and associated risks have evolved. The legislation seeks to broaden the definition of “personal information” to include additional categories such as medical information, online account information, passport numbers, military identification, and health insurance account numbers. The bill would also shorten the limit to which entities must notify individuals of a security breach from 90 days to 30 days, which is in line with recent amendments passed in other states.

Below is a copy of Attorney General Tong’s written testimony.

###

Senate Bill 137: An Act Concerning Data Privacy Breaches

Chairman D’Agostino, Ranking Member Cheeseman, Chairman Maroney, Ranking Member Witkos and distinguished members of the General Law Committee, thank you for the opportunity to testify before you today in strong support of SB 137, An Act Concerning Data Privacy Breaches.

In 2005, this legislature passed one of our nation’s first laws protecting consumers from online data breaches, and in doing so, made our state a national leader in data privacy. Since then, as technology and our understanding of the risks associated with living in an online world has evolved, dozens of other states have passed and updated their own data breach laws to keep up with that evolution. In 2019 alone, nine states passed new and expanded data breach notification laws. It is now time for Connecticut to catch up.

Senate Bill 137 updates Connecticut’s breach notification statute. It strengthens consumer protections by broadening the definition of “personal information,” shortening the time period to notify consumers and the Office of the Attorney General of a security breach from 90 to 30 days, and by improving notification procedures for security breaches involving the compromise of online account credentials.

Broadening the Definition of “Personal Information”

At the core of our breach notification statute, Section 36a-701b of the Connecticut General Statutes, is the definition of “personal information.” These definitional categories, or identifiers, are what trigger breach notice requirements and therefore determine whether our Office and affected individuals are alerted when their most sensitive information may have been compromised. Without such notice, our enforcement ability is diminished, and individuals may be unable to take timely steps to protect themselves from identify theft.

Connecticut’s current definition of “personal information” covers some of the most sensitive personal identifiers, including Social Security numbers and financial account information. However, this definition does not capture the full spectrum of information that may be used to perpetrate identity theft.

To ensure that our data breach notification statute is effective in protecting Connecticut residents against identity theft, the definition of “personal information” must be broadened to include additional categories of sensitive information. It must also be versatile enough to respond to new types of technology capable of exposing individuals to identity theft.

With this goal in mind, Section 1(a) expands the definition of “personal information” to include the following data elements: (1) a passport number, military identification number or government issued identification numbers; (2) an individual tax identification number (ITIN) and an identity protection personal information number (IP PIN); (3) medical information, including information about an individual’s mental health; (4) health insurance information; (5) biometric data; and (6) online account information.

Including these identifiers in the breach notification statute would require that our Office and Connecticut residents be notified when this information is compromised in a security breach. Notification will allow consumers to better protect themselves from identity theft, enable our Office to respond nimbly to consumers who seek our assistance, and ensure that we continue to play a leading role in any subsequent multistate investigations.

With respect to the added identifiers, it is important to once again note that we are playing catch-up with our sister states. For example, 21 states, including our neighbors New York and Rhode Island, already include “medical information” within their statutes’ definition of personal information. State Attorneys General have the authority to enforce HIPAA, the federal law that protects medical information, so it is vitally important that our Office receive notice of HIPAA breaches impacting Connecticut residents.

Similarly, with the advent of exploitation of online account credentials, it is no surprise that 18 states have already passed amendments to their breach notification statutes protecting this information. Online account information can be used to gain access to an individual’s most sensitive accounts, thereby exposing additional information that may enable an attacker to perpetrate identity theft.

Finally, biometric data is also of increasing importance. The uniquely personal nature of this information presents a heightened risk to individuals and offers tremendous value to cyber criminals.

Shortening Notification Time Period

Section 1(b)(1) shortens the outside limit in which entities subject to the statute must notify individuals of security breaches from 90 days to 30 days. The reduction of the outside limit to 30 days is in line with recent amendments to a number of other states’ data breach notification windows. For example, Washington recently shortened its notification timeframe from 45 days to 30 days, and Colorado and Florida also have 30-day notice deadlines.

Connecticut residents must be informed as quickly as possible when their information is at risk so that they may take the appropriate action to protect it. A three-month notification delay is no longer acceptable in today’s world—where an identity theft can take place in mere hours or days after compromise.

Improved Notification Procedures

Section 2(g) addresses notification procedures for security breaches involving online account credentials. Our current statute permits entities to provide individual notification electronically, which include notification via an online account—such as an e-mail address—that may have been compromised in the security breach. This bill would require entities to use an additional method of notification when an online account may have been compromised to ensure that impacted individuals are able to receive the notification. Ten states include similar specifications in their breach notification statutes. New York was the latest to implement such a requirement through its NY SHIELD law.

For all the foregoing reasons, I ask for your support of expanding consumer data protections through SB 137. Thank you once again for the opportunity to offer testimony and please do not hesitate to contact me with any questions or concerns.

Twitter: @AGWilliamTong
Facebook: CT Attorney General
Media Contact:

Elizabeth Benton
elizabeth.benton@ct.gov
860-808-5324 (office)

Consumer Inquiries:

860-808-5318
attorney.general@ct.gov